File name:

WFS.exe

Full analysis: https://app.any.run/tasks/5af717ae-34b7-4095-99d9-14392eeb04d8
Verdict: Malicious activity
Analysis date: September 12, 2024, 20:30:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

0027EBE13C0814FDB0389D2A9182AA5A

SHA1:

AF8DECB4D93C8B6A9C38781158B5CDCAECB5ED90

SHA256:

C5E2440DD76B81B83A4E25B1B007F5005C37467F20CE5241B15A66D9A4A27A73

SSDEEP:

12288:i/N4m4LZhRQ1kLfudLVNI3ZhB7/hYWu9acSnXpuuJx584+XpuuJL7hpiVVEdh30D:i/2ZikTG8phYZM7584E9ZNf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Write to the desktop.ini file (may be used to cloak folders)

      • WFS.exe (PID: 1568)

    • Process drops legitimate windows executable

      • WFS.exe (PID: 1568)

    • Detected use of alternative data streams (AltDS)

      • WFS.exe (PID: 1568)

    • Starts a Microsoft application from unusual location

      • WFS.exe (PID: 1568)

    • Executes as Windows Service

      • FXSSVC.exe (PID: 7052)

    • Reads the Windows owner or organization settings

      • WFS.exe (PID: 1568)

  • INFO

    • Reads the computer name

      • WFS.exe (PID: 1568)

    • Creates files in the program directory

      • FXSSVC.exe (PID: 7052)

    • Checks supported languages

      • WFS.exe (PID: 1568)

    • Disables trace logs

      • FXSSVC.exe (PID: 7052)

    • Create files in a temporary directory

      • WFS.exe (PID: 1568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 1983:09:09 00:32:50+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 476160
InitializedDataSize: 493568
UninitializedDataSize: -
EntryPoint: 0x6e520
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 10
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Fax and Scan
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: ClientConsole.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: ClientConsole.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wfs.exe no specs fxssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1568"C:\Users\admin\Desktop\WFS.exe" C:\Users\admin\Desktop\WFS.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Fax and Scan
Version:
10.0.19041.4355 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\wfs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7052C:\WINDOWS\system32\fxssvc.exeC:\Windows\System32\FXSSVC.exeservices.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Fax Service
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fxssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shlwapi.dll
Total events
1 020
Read events
1 003
Write events
16
Delete events
1

Modification events

(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:writeName:RedirectionGuard
Value:
1
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Password
Value:
00
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:delete valueName:Password
Value:
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:Server
Value:
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:From
Value:
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:writeName:User
Value:
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Security
Operation:writeName:Descriptor
Value:
010004805C000000680000000000000014000000020048000300000000001800E7020E000102000000000005200000002002000000001400030002000101000000000001000000000000140027020200010100000000000504000000010100000000000514000000010100000000000514000000
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Outbound Routing\Groups\<All devices>
Operation:writeName:Devices
Value:
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Outbound Routing\Rules\0:0
Operation:writeName:CountryCode
Value:
0
(PID) Process:(7052) FXSSVC.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Outbound Routing\Rules\0:0
Operation:writeName:AreaCode
Value:
0
Executable files
1
Suspicious files
3
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
1568WFS.exeC:\Users\admin\Documents\Scanned Documents\Welcome Scan.jpg:3or4kl4x13tuuug3Byamue2s4b
MD5:
SHA256:
1568WFS.exeC:\Users\admin\AppData\Local\Temp\MSFaxConsoleTempPreview-#00000620ad95d71d.tifbinary
MD5:54EB5F0F7F114FA734BBA5502978DFA3
SHA256:4A4C0268526599811E8CA91A50C0B0F4511A259A4AAFE3F65C174BC4D026F964
1568WFS.exeC:\Users\admin\Documents\Fax\Drafts\desktop.iniini
MD5:049287DAE44828AE84F1F63806E68689
SHA256:EEF82D186B097ABD1A114E1BD2DB82EDCEB4AE9437DFE7C7E11ED4711A7151D1
1568WFS.exeC:\Users\admin\Documents\Scanned Documents\Welcome Scan.jpgimage
MD5:73D4281E46A68222934403627E5B4E19
SHA256:AAC4AC970EC47CD95DC7C65D7D38D29C1F948BE24D5DAD1D5AA21053125367C7
1568WFS.exeC:\Users\admin\Documents\Scanned Documents\desktop.initext
MD5:88CC9559EF771AE2D5F1879721226E8A
SHA256:FC1162993DE676F59BEFF2FB6A315081755C7500CD3CA729E691AEA0EB41B516
1568WFS.exeC:\Users\admin\Documents\Fax\Inbox\desktop.iniini
MD5:78123470C02CA0DB68A5E9F355503B1A
SHA256:E07BD44303DEF6DA0204F92CDDCDAA6A44A393CF8E713C617FC66640486DA4B8
1568WFS.exeC:\Users\admin\Documents\Fax\Inbox\WelcomeFax.tifbinary
MD5:54EB5F0F7F114FA734BBA5502978DFA3
SHA256:4A4C0268526599811E8CA91A50C0B0F4511A259A4AAFE3F65C174BC4D026F964
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4760
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2248
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4760
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2248
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
4760
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WFS.exe