File name:

udasf.exe

Full analysis: https://app.any.run/tasks/286dc3f6-0b9f-44c2-bcc4-9b8f906ddd00
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 13, 2025, 21:22:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-reg
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

EE38952F42924AA386384C6FD8585D4C

SHA1:

1D297FB5C1C096B3112B7A8AA86E3613012456F7

SHA256:

B30AE0ACCF95CE23A7A3CC92E57865C4ED00FD6D7FDE6A001ED969F7B2D5D20E

SSDEEP:

1536:UHTPM+/oZ5IaTgyjAg1OOjmIY+uEhogb5W9vCSruuhE2N/9ieh:6jW5IMgQAIdHuEXbovC8bEi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 2096)

    • Actions looks like stealing of personal data

      • WscService.exe (PID: 864)
      • WscService.exe (PID: 3896)

  • SUSPICIOUS

    • Starts itself from another location

      • udasf.exe (PID: 6036)

    • Executable content was dropped or overwritten

      • udasf.exe (PID: 6036)

    • Application launched itself

      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 3896)

  • INFO

    • Creates files in the program directory

      • udasf.exe (PID: 6036)

    • Checks supported languages

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 2096)

    • Reads the computer name

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 2096)

    • Autorun file from Registry key

      • udasf.exe (PID: 6036)
      • WscService.exe (PID: 6540)
      • WscService.exe (PID: 864)
      • WscService.exe (PID: 5008)
      • WscService.exe (PID: 3896)
      • WscService.exe (PID: 2096)

    • Manual execution by a user

      • WscService.exe (PID: 6540)

    • Checks proxy server information

      • slui.exe (PID: 2420)

    • Reads the software policy settings

      • slui.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:13 20:58:54+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 28672
InitializedDataSize: 286720
UninitializedDataSize: -
EntryPoint: 0x6e20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
13
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start udasf.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs wscservice.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\ProgramData\WindowsSecurity\WscService.exe" main spawnbuddyC:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWscService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2096"C:\ProgramData\WindowsSecurity\WscService.exe" buddy 3896C:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2420C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3896"C:\ProgramData\WindowsSecurity\WscService.exe" main spawnbuddyC:\ProgramData\WindowsSecurity\WscService.exe
udasf.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5008"C:\ProgramData\WindowsSecurity\WscService.exe" buddy 864C:\ProgramData\WindowsSecurity\WscService.exe
WscService.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\windowssecurity\wscservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6036"C:\Users\admin\Desktop\udasf.exe" C:\Users\admin\Desktop\udasf.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\udasf.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 707
Read events
3 701
Write events
6
Delete events
0

Modification events

(PID) Process:(6036) udasf.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(6540) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(864) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(5008) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(3896) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
(PID) Process:(2096) WscService.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MicrosoftSecurityCenter
Value:
C:\ProgramData\WindowsSecurity\WscService.exe
Executable files
1
Suspicious files
39
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6036udasf.exeC:\ProgramData\WindowsSecurity\WscService.exeexecutable
MD5:EE38952F42924AA386384C6FD8585D4C
SHA256:B30AE0ACCF95CE23A7A3CC92E57865C4ED00FD6D7FDE6A001ED969F7B2D5D20E
864WscService.exeC:\Users\admin\Documents\Outlook Files\Outlook.pstbinary
MD5:1BF519E52D394F0686828E398A4BD24B
SHA256:2B647382EAD9A7D3337A8B3ADC0DB6B80668F02ECF95A5D3DDE0B18423811706
864WscService.exeC:\Users\admin\Documents\Database1.accdbbinary
MD5:716DD6D02E0250ECCAB044D377DF414E
SHA256:4998AE21620413C52C47E9296B23A2A56D2C2B5CA66E527D85EFA58A2495A1A3
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteQuery.ps1binary
MD5:1E2BD973B9B3EA1AEBF09922135239AD
SHA256:88A5821B98CF9DDF92E0EA1B3F354116B95C8C1745E8F8B304664E8CEC9795FE
864WscService.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2binary
MD5:102635F1C811E9B5E4D3DEA94B6571F1
SHA256:2CEC31F688A5544635D56716ACA89ECA0EED4692A47B452BEEED589CCC121F15
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteBulkCopy.ps1binary
MD5:EC557E5667AAF3ABD7E6170195A25D70
SHA256:EC503FDE487838A01F5F2E09AAD3DF51724E887EE1B4CE30246C98EE1149161E
864WscService.exeC:\Users\admin\Documents\OneNote Notebooks\My Notebook\Quick Notes.onebinary
MD5:28283EF613D31AAE29B4B0E273FF80D4
SHA256:BD992B65B13372634D28830F3064E0FE96EA5475203FDE0958DCE1B65712D8CC
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Out-DataTable.ps1binary
MD5:5308D3A9FEF5302773F1AEAE5797D7DE
SHA256:ACC8FE8D59BC60CF1DCB1846B158D7DD42130E094A826A147AF910B16CB19BDC
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\PSSQLite.psd1binary
MD5:E6C1D2E62236F323419F6770410EAF53
SHA256:E842A7C84A3D5FEA7F4D0390A7EEE9AFCAEC0D63AA11FD4E7DF1CB7F801CA373
864WscService.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\New-SqliteConnection.ps1binary
MD5:A4969DDEF01E87E2D3F8E7C204F369E7
SHA256:402D91445DE583A5742CA964944FAD4C17A28EB1042165F01C5432488EC2F22D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3332
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2420
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
udasf.exe