File name:

Wireless_AutoSwitch_XPV.1.5.7.4.msi

Full analysis: https://app.any.run/tasks/4ae87b0a-94fd-4c70-a272-948278f249bb
Verdict: Malicious activity
Analysis date: August 08, 2023, 13:30:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Keywords: Installer,MSI,Database, Code page: 1252, Name of Creating Application: MakeMsi version 22.121, a free tool by Dennis Bareis (http://dennisbareis.com/makemsi.htm), Security: 0, Revision Number: {3C5F3653-7418-4BB7-88F4-B05F964C129C}, Template: Intel;1033, Number of Pages: 110, Title: Wireless AutoSwitch XPV, Subject: 1.5.7.4 (created Tue Jan 24 2023 at 11:41:53am), Number of Words: 2, Create Time/Date: Tue Jan 24 16:42:01 2023, Total Editing Time: Tue Jan 24 16:42:01 2023, Comments: Wireless AutoSwitch XPV, Author: Sase Sham, Inc., Last Saved By: Sase Sham, Inc.
MD5:

36C443162D63A82070AA3E3B2C5BF7B5

SHA1:

0D79047D6D530EDF6A0E70AA8754612E640D85BF

SHA256:

8C841EB4C765E8BD71CEAFFCD618A275B5DC3FCB48C65DDCC77CFE9BC73C9BB3

SSDEEP:

49152:J/PXtY5Akhd0LVSUl3zaYQNQiJx4YD6pdfFl7YTAiWl:ZtY5Ae0hS0aOgxVD2fFl7X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • msiexec.exe (PID: 1000)

    • Application was dropped or rewritten from another process

      • WrlsAutoSW Toggle.exe (PID: 3572)
      • WrlsAutoSW.exs (PID: 3200)

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 3736)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 616)
      • WrlsAutoSW.exs (PID: 3200)

  • INFO

    • The process checks LSA protection

      • msiexec.exe (PID: 1872)
      • msiexec.exe (PID: 1000)
      • wmpnscfg.exe (PID: 1040)
      • VSSVC.exe (PID: 616)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1000)
      • wmpnscfg.exe (PID: 1040)
      • WrlsAutoSW.exs (PID: 3200)

    • Checks supported languages

      • msiexec.exe (PID: 1000)
      • wmpnscfg.exe (PID: 1040)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Reads the computer name

      • msiexec.exe (PID: 1000)
      • wmpnscfg.exe (PID: 1040)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1040)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1000)

    • Creates files in the program directory

      • WrlsAutoSW.exs (PID: 3200)

    • Create files in a temporary directory

      • msiexec.exe (PID: 1000)

    • Creates files or folders in the user directory

      • WrlsAutoSW Toggle.exe (PID: 3572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (79.6)
.mst | Windows SDK Setup Transform Script (9)
.msp | Windows Installer Patch (7.4)
.doc | Microsoft Word document (old ver.) (2.7)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastModifiedBy: Sase Sham, Inc.
Author: Sase Sham, Inc.
Comments: Wireless AutoSwitch XPV
TotalEditTime: 2023:01:24 16:42:01
CreateDate: 2023:01:24 16:42:01
Words: 2
Subject: 1.5.7.4 (created Tue Jan 24 2023 at 11:41:53am)
Title: Wireless AutoSwitch XPV
Pages: 110
Template: Intel;1033
RevisionNumber: {3C5F3653-7418-4BB7-88F4-B05F964C129C}
Security: None
Software: MakeMsi version 22.121, a free tool by Dennis Bareis (http://dennisbareis.com/makemsi.htm)
CodePage: Windows Latin 1 (Western European)
Keywords: Installer,MSI,Database
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe wmpnscfg.exe no specs vssvc.exe no specs regsvr32.exe no specs wrlsautosw.exs no specs wrlsautosw toggle.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
1000C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1040"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1872"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Wireless_AutoSwitch_XPV.1.5.7.4.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3200"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exs"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exsservices.exe
User:
SYSTEM
Company:
Sase Sham, Inc.
Integrity Level:
SYSTEM
Description:
WrlsAutoSW XPV
Exit code:
0
Version:
1.5.7.4
Modules
Images
c:\program files\wireless autoswitch\wrlsautosw.exs
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3572"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW Toggle.exe" C:\Program Files\Wireless AutoSwitch\WrlsAutoSW Toggle.exeexplorer.exe
User:
admin
Company:
Sase Sham, Inc.
Integrity Level:
MEDIUM
Description:
WrlsAutoSW Toggle
Exit code:
0
Version:
1.3.2
Modules
Images
c:\program files\wireless autoswitch\wrlsautosw toggle.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3736"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wireless AutoSwitch\IsLicense30.dll"C:\Windows\System32\regsvr32.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
Total events
4 756
Read events
4 726
Write events
16
Delete events
14

Modification events

(PID) Process:(1040) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9E28AE6A-1FA4-494D-83E9-35F4866C35E3}\{554C5F18-D668-4AC6-AE2B-7CD6C3833FB7}
Operation:delete keyName:(default)
Value:
(PID) Process:(1040) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9E28AE6A-1FA4-494D-83E9-35F4866C35E3}
Operation:delete keyName:(default)
Value:
(PID) Process:(1040) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{8D86A374-2CEB-4BD0-BC9F-E9C5646581D1}
Operation:delete keyName:(default)
Value:
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Leave)
Value:
400000000000000034645DBC16B0D901C80700002C0A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
14
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1000msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\WrlsAutoSWLog.txt
MD5:
SHA256:
1000msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:57C4739F1BE21496E70D57C304518B68
SHA256:38612E569AA9F3F68764035972765EC1F2C2F918415D3634E8259D5B987D1CCF
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wbdLA44I.dllexecutable
MD5:161CF63E4C819B1F111D8A1A067BA397
SHA256:B127E2920C64B5BFA855D426DA6AB42F67EE2154DB0294EB3C50496FED3D184D
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wrlssw64.exeexecutable
MD5:7DC9C0C5A5C9DB487FF31631E0344829
SHA256:EF77FB512A9CEAE9F86B0A07BAE7543A486341C3522D8CF1FF0B6FB8355DDECF
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wproc34i.dllexecutable
MD5:25A318704594DA7A69CCFF0BD381AAF0
SHA256:95BF390950A83CE97BC398E3E4F25BF914F58A13AA61B2044F26A44ECC8D3D36
1000msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ea91580e-0fa8-49f5-b329-82de949d7af5}_OnDiskSnapshotPropbinary
MD5:57C4739F1BE21496E70D57C304518B68
SHA256:38612E569AA9F3F68764035972765EC1F2C2F918415D3634E8259D5B987D1CCF
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exsexecutable
MD5:454850DA52224C240566F03A412BE142
SHA256:31D35740F4303512B56E23CC09F5B45DD326D50A2E3C742EE46B5567DD7D136C
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wrlsswV64.exeexecutable
MD5:CDBAE64001AC9838AF57792D4065A00C
SHA256:0EB71D235CD74CB66171FB0C8736D5BF76A5FDCC84A6542C411F2FD70D2132F4
1000msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF25815A9BC682AE9E.TMPbinary
MD5:E04BE6D40CFDD12ACC2FCBE1ABE55DBC
SHA256:1C997B3767D910E493E6544E2445589B7745112E1215059A5D2267D4E0CCF9E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3284
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wireless_AutoSwitch_XPV.1.5.7.4.msi