URL:

http://download.i-tax.cn/softs/WQAS.exe

Full analysis: https://app.any.run/tasks/ec038643-55d8-4f2e-adb3-9932453a6eee
Verdict: Malicious activity
Analysis date: March 26, 2026, 16:40:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MD5:

874BEC54960298985C2BD689F4A63E74

SHA1:

0DAE14C6636720293398F58150548D3DAC1A8143

SHA256:

7D11647A1042AD8ECF28CC78448F637C0404171EBC254D3281889F322DBC2E6C

SSDEEP:

3:N1KaKElfHKDN:Ca5fKDN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • WindowsServiceRunSelf.exe (PID: 8508)
      • WindowsServiceRunSelf.exe (PID: 8676)
      • WindowsServiceRunSelf.exe (PID: 8640)

    • Changes the autorun value in the registry

      • WindowsQptAds.exe (PID: 8720)

    • Create files in the Startup directory

      • WindowsQptAds.exe (PID: 8720)

    • Uses Task Scheduler to autorun other applications

      • WindowsQptAds.exe (PID: 8720)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • WQAS.exe (PID: 8336)
      • WQAS.exe (PID: 8408)
      • WQAS.exe (PID: 8384)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 8736)
      • schtasks.exe (PID: 8336)
      • schtasks.exe (PID: 8856)
      • schtasks.exe (PID: 7120)
      • schtasks.exe (PID: 7132)
      • schtasks.exe (PID: 7128)

    • The process executes via Task Scheduler

      • WindowsQptAds.exe (PID: 8720)
      • WindowsQptAds.exe (PID: 8356)
      • WindowsQptAds.exe (PID: 8512)
      • WindowsQptAds.exe (PID: 9012)
      • WindowsQptAds.exe (PID: 9076)
      • WindowsQptAds.exe (PID: 8424)
      • WindowsQptAds.exe (PID: 4108)
      • schtasks.exe (PID: 7128)
      • schtasks.exe (PID: 7132)
      • schtasks.exe (PID: 7120)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 8596)
      • schtasks.exe (PID: 9076)
      • schtasks.exe (PID: 8804)
      • schtasks.exe (PID: 8692)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 8920)
      • schtasks.exe (PID: 9012)
      • schtasks.exe (PID: 9140)
      • schtasks.exe (PID: 8764)
      • schtasks.exe (PID: 8924)
      • schtasks.exe (PID: 8740)
      • schtasks.exe (PID: 4476)
      • schtasks.exe (PID: 6884)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 9204)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 4692)
      • firefox.exe (PID: 4604)
      • firefox.exe (PID: 5348)

    • Checks supported languages

      • identity_helper.exe (PID: 7368)
      • WQAS.exe (PID: 8336)
      • WindowsServiceRunSelf.exe (PID: 8508)
      • WindowsQptAds.exe (PID: 8720)
      • WQAS.exe (PID: 8408)
      • WindowsServiceRunSelf.exe (PID: 8676)
      • WindowsQptAds.exe (PID: 8356)
      • WQAS.exe (PID: 8384)
      • WindowsQptAds.exe (PID: 8512)
      • WindowsServiceRunSelf.exe (PID: 8640)
      • WindowsQptAds.exe (PID: 8424)
      • WindowsQptAds.exe (PID: 9076)
      • WindowsQptAds.exe (PID: 9012)
      • WindowsQptAds.exe (PID: 4108)
      • WindowsQptAds.exe (PID: 6796)

    • Reads the computer name

      • identity_helper.exe (PID: 7368)
      • WindowsServiceRunSelf.exe (PID: 8508)
      • WindowsQptAds.exe (PID: 8720)
      • WindowsServiceRunSelf.exe (PID: 8676)
      • WindowsServiceRunSelf.exe (PID: 8640)
      • WindowsQptAds.exe (PID: 8512)
      • WindowsQptAds.exe (PID: 8356)
      • WindowsQptAds.exe (PID: 9076)
      • WindowsQptAds.exe (PID: 9012)
      • WindowsQptAds.exe (PID: 8424)
      • WindowsQptAds.exe (PID: 4108)
      • WindowsQptAds.exe (PID: 6796)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 4692)

    • Reads Environment values

      • identity_helper.exe (PID: 7368)

    • Create files in a temporary directory

      • WQAS.exe (PID: 8336)
      • WQAS.exe (PID: 8408)
      • WQAS.exe (PID: 8384)

    • Launching a file from a Registry key

      • WindowsQptAds.exe (PID: 8720)

    • Reads the machine GUID from the registry

      • WindowsQptAds.exe (PID: 8720)
      • WindowsQptAds.exe (PID: 8356)
      • WindowsQptAds.exe (PID: 8512)
      • WindowsQptAds.exe (PID: 9012)
      • WindowsQptAds.exe (PID: 4108)
      • WindowsQptAds.exe (PID: 6796)

    • Launching a file from Task Scheduler

      • WindowsServiceRunSelf.exe (PID: 8508)
      • WindowsServiceRunSelf.exe (PID: 8676)
      • WindowsServiceRunSelf.exe (PID: 8640)

    • Creates files or folders in the user directory

      • WindowsQptAds.exe (PID: 8720)

    • Launching a file from the Startup directory

      • WindowsQptAds.exe (PID: 8720)

    • Disables trace logs

      • WindowsQptAds.exe (PID: 8720)
      • WindowsQptAds.exe (PID: 8356)
      • WindowsQptAds.exe (PID: 8512)
      • WindowsQptAds.exe (PID: 9012)
      • WindowsQptAds.exe (PID: 4108)
      • WindowsQptAds.exe (PID: 6796)

    • Manual execution by a user

      • WQAS.exe (PID: 8328)
      • WQAS.exe (PID: 8384)
      • WindowsQptAds.exe (PID: 6640)
      • WindowsQptAds.exe (PID: 6796)
      • WindowsQptAds.exe (PID: 6712)
      • firefox.exe (PID: 4604)
      • WindowsQptAds.exe (PID: 6676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
382
Monitored processes
106
Malicious processes
1
Suspicious processes
6

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wqas.exe no specs wqas.exe taskkill.exe no specs conhost.exe no specs windowsservicerunself.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs windowsqptads.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wqas.exe no specs wqas.exe taskkill.exe no specs conhost.exe no specs windowsservicerunself.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs windowsqptads.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wqas.exe no specs wqas.exe taskkill.exe no specs conhost.exe no specs windowsservicerunself.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs windowsqptads.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs windowsqptads.exe no specs windowsqptads.exe windowsqptads.exe no specs schtasks.exe no specs conhost.exe no specs windowsqptads.exe schtasks.exe no specs conhost.exe no specs windowsqptads.exe no specs windowsqptads.exe no specs windowsqptads.exe no specs windowsqptads.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4228 -prefsLen 37375 -prefMapHandle 4232 -prefMapSize 273045 -jsInitHandle 4236 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4244 -initialChannelId {7a22c33a-db78-4916-bad5-eff3d5ab6f9d} -parentPid 5348 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5348" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6736,i,14191175456396814404,17818494192397408227,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2368"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7148,i,14191175456396814404,17818494192397408227,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2684"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x294,0x298,0x29c,0x28c,0x2a4,0x7ffe2392f208,0x7ffe2392f214,0x7ffe2392f220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2908"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5416 -prefsLen 39377 -prefMapHandle 5508 -prefMapSize 273045 -jsInitHandle 5512 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5576 -initialChannelId {46d99c6c-8b88-4a35-822d-60cc1a697362} -parentPid 5348 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5348" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2948"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 5268 -prefsLen 45425 -prefMapHandle 5376 -prefMapSize 273045 -ipcHandle 5212 -initialChannelId {78b9387f-1cb6-4735-9452-c67a90a71836} -parentPid 5348 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5348" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3112"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5832 -prefsLen 39429 -prefMapHandle 5836 -prefMapSize 273045 -jsInitHandle 5840 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5792 -initialChannelId {36e21ce8-8b31-4c7a-a62f-316320627052} -parentPid 5348 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5348" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
3116"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6028 -prefsLen 39429 -prefMapHandle 6020 -prefMapSize 273045 -jsInitHandle 6016 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 5852 -initialChannelId {383900cb-e88b-4c77-be49-1a07295048b8} -parentPid 5348 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5348" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4108"C:\WINDOWS\WindowsQptAdService\WindowsQptAds.exe"C:\Windows\WindowsQptAdService\WindowsQptAds.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\windowsqptadservice\windowsqptads.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
Total events
6 710
Read events
6 694
Write events
16
Delete events
0

Modification events

(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsQptAds
Value:
C:\WINDOWS\WindowsQptAdService\WindowsQptAds.exe
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsQptAds
Value:
C:\WINDOWS\WindowsQptAdService\WindowsQptAds.exe
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(8720) WindowsQptAds.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\WindowsQptAds_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
0
Suspicious files
25
Text files
203
Unknown types
248

Dropped files

PID
Process
Filename
Type
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdffdc.TMP
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdffec.TMP
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdffec.TMP
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFdfffc.TMP
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe001b.TMP
MD5:
SHA256:
4692msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
164
TCP/UDP connections
94
DNS requests
111
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7160
msedge.exe
GET
304
150.171.27.11:443
https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist
US
whitelisted
7160
msedge.exe
GET
200
150.171.109.100:443
https://api.edgeoffer.microsoft.com/edgeoffer/pb/experiments?appId=edge-extensions&country=US
US
binary
82 b
whitelisted
7160
msedge.exe
GET
200
104.18.22.222:443
https://copilot.microsoft.com/c/api/user/eligibility
US
text
25 b
whitelisted
7160
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
US
text
314 b
whitelisted
7160
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:cJtq2EhBKWHeNeMa2of1FaSShnGxcx0_A670L-zIo-o&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
US
binary
100 b
whitelisted
7160
msedge.exe
GET
200
150.171.22.17:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1774543208&lafgdate=0
US
binary
43.4 Kb
whitelisted
7160
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/extensionwebstorebase/v1/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=edgecrx&prodchannel=&prodversion=133.0.3065.92&lang=en-US&acceptformat=crx3,puff&x=id%3Djmjflgjpcpepeafmmgdpfkogkghcpiha%26v%3D1.2.1%26installedby%3Dother%26uc%26ping%3Dr%253D97%2526e%253D1
US
binary
413 b
whitelisted
7160
msedge.exe
POST
200
142.250.201.67:443
https://update.googleapis.com/service/update2/json?cup2key=14:K0qmLnUw6Xn0Kf4N4zQHrVGimQLTA6cc6jrDXHI423w&cup2hreq=2ea40c57aa2405820d408460230a7887e2bf0ff7d0b2263bacc01cc77e44cb66
US
891 b
whitelisted
7160
msedge.exe
GET
200
184.86.251.24:443
https://www.bing.com/api/shopping/v1/user/shoppingsettings?EnabledServiceFeaturesv2=edgeServerUX.shopping.msEdgeShoppingCashbackDismissTimeout2s
NL
text
1.11 Kb
whitelisted
7160
msedge.exe
GET
200
150.171.28.11:443
https://edge.microsoft.com/entityextractiontemplates/api/v1/assets/find-assets?name=domains_config_gz&version=3.*.*&channel=stable&key=d414dd4f9db345fa8003e32adc81b362
US
text
267 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7784
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7160
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7160
msedge.exe
150.171.22.17:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7160
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7160
msedge.exe
150.171.109.100:443
api.edgeoffer.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7160
msedge.exe
104.18.22.222:443
copilot.microsoft.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.251.141.110
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
download.i-tax.cn
  • 58.218.215.70
malicious
api.edgeoffer.microsoft.com
  • 150.171.109.100
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
update.googleapis.com
  • 142.250.201.67
whitelisted
www.bing.com
  • 184.86.251.24
  • 184.86.251.4
  • 184.86.251.27
  • 184.86.251.23
  • 184.86.251.30
  • 184.86.251.25
  • 184.86.251.28
  • 184.86.251.5
  • 184.86.251.22
  • 2.16.241.218
  • 2.16.241.207
  • 2.16.241.222
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.225
  • 184.86.251.19
  • 184.86.251.15
  • 184.86.251.20
  • 23.36.162.68
  • 23.36.162.84
whitelisted

Threats

PID
Process
Class
Message
7784
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.i-tax.cn/softs/WQAS.exe