File name:

udasf.exe

Full analysis: https://app.any.run/tasks/286dc3f6-0b9f-44c2-bcc4-9b8f906ddd00
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 13, 2025, 21:22:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-reg
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

EE38952F42924AA386384C6FD8585D4C

SHA1:

1D297FB5C1C096B3112B7A8AA86E3613012456F7

SHA256:

B30AE0ACCF95CE23A7A3CC92E57865C4ED00FD6D7FDE6A001ED969F7B2D5D20E

SSDEEP:

1536:UHTPM+/oZ5IaTgyjAg1OOjmIY+uEhogb5W9vCSruuhE2N/9ieh:6jW5IMgQAIdHuEXbovC8bEi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 2096)

    • Actions looks like stealing of personal data

      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 864)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • udasf.exe (PID: 6036)

    • Starts itself from another location

      • udasf.exe (PID: 6036)

    • Application launched itself

      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 3896)

  • INFO

    • Checks supported languages

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 2096)

    • Creates files in the program directory

      • udasf.exe (PID: 6036)

    • Reads the computer name

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 2096)

    • Autorun file from Registry key

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 2096)

    • Manual execution by a user

      • WscService.exe (PID: 6540)

    • Checks proxy server information

      • slui.exe (PID: 2420)

    • Reads the software policy settings

      • slui.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:13 20:58:54+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 28672
InitializedDataSize: 286720
UninitializedDataSize: -
EntryPoint: 0x6e20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
13
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start udasf.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\ProgramData\WindowsSecurity\WscService.exe" main spawnbuddyC:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2096"C:\ProgramData\WindowsSecurity\WscService.exe" buddy 3896C:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2420C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3896"C:\ProgramData\WindowsSecurity\WscService.exe" main spawnbuddyC:\ProgramData\WindowsSecurity\WscService.exe
udasf.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5008"C:\ProgramData\WindowsSecurity\WscService.exe" buddy 864C:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6036"C:\Users\admin\Desktop\udasf.exe" C:\Users\admin\Desktop\udasf.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\udasf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 707
Read events
3 701
Write events
6
Delete events
0

Modification events

(PID) Process:(6036) udasf.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(6540) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(864) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(5008) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(3896) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(2096) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
Executable files
1
Suspicious files
39
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6036udasf.exeC:\ProgramData\WindowsSecurity\WscService.exeexecutable
MD5:EE38952F42924AA386384C6FD8585D4C
SHA256:B30AE0ACCF95CE23A7A3CC92E57865C4ED00FD6D7FDE6A001ED969F7B2D5D20E
864WscService.exeC:\Users\admin\Documents\Outlook Files\Outlook1.pstbinary
MD5:303A527F8C955CECDB6FDF16056CC261
SHA256:4F205068763FAD92A6E8D3D8555C5BB9DD0F20BAB0B4C876FEBAEECC274DD4E4
864WscService.exeC:\Users\admin\Documents\edgestructure.rtfbinary
MD5:8DD3105A6A21F47339D2963DF518295A
SHA256:0462BA5C7BFECC01E678EE70F966D807C9E6A0ECD5E7A02439445E5AE23A39C7
864WscService.exeC:\Users\admin\Documents\journalresponsibility.rtfbinary
MD5:2D41655F6AC80F8F7FE637E97149C6BD
SHA256:A5687A7C339BD40A62C8903C073C65E9F7C044CC3391A791585DEB9D6D94DADE
864WscService.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2binary
MD5:102635F1C811E9B5E4D3DEA94B6571F1
SHA256:2CEC31F688A5544635D56716ACA89ECA0EED4692A47B452BEEED589CCC121F15
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\New-SqliteConnection.ps1binary
MD5:A4969DDEF01E87E2D3F8E7C204F369E7
SHA256:402D91445DE583A5742CA964944FAD4C17A28EB1042165F01C5432488EC2F22D
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteBulkCopy.ps1binary
MD5:EC557E5667AAF3ABD7E6170195A25D70
SHA256:EC503FDE487838A01F5F2E09AAD3DF51724E887EE1B4CE30246C98EE1149161E
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\PSSQLite.psd1binary
MD5:E6C1D2E62236F323419F6770410EAF53
SHA256:E842A7C84A3D5FEA7F4D0390A7EEE9AFCAEC0D63AA11FD4E7DF1CB7F801CA373
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\PSGetModuleInfo.xmlbinary
MD5:15B4442DD75D0F413749E7D2A634AD08
SHA256:ADE91350D0E84BC456C6319AC7B5FE460BE783D968962638E9BA52F13A643CF9
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteQuery.ps1binary
MD5:1E2BD973B9B3EA1AEBF09922135239AD
SHA256:88A5821B98CF9DDF92E0EA1B3F354116B95C8C1745E8F8B304664E8CEC9795FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3332
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2420
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
udasf.exe