URL:

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmpHZ09tblp3Qk0tdjBXUWJvMlFLOE1sZmFld3xBQ3Jtc0tseXA2eVVKN2tkcEZzQWpVT0Z0TmV2UWVEUDdwR3BIT1BUUFJiemJINlRVWUtHeDBLV0puM2FlY2JESXJ1dFdGdjNMRUM3VjVhakdQenJCdzZvSzlaX2RXOVRQbzFmTndYNm91VjYxMWdOUWh3TmxiNA&q=https%3A%2F%2Fbytearmor.net%2F&v=yPJo_6mii4Y

Full analysis: https://app.any.run/tasks/8e6df777-eaa6-4ce4-b323-d98eaa344cae
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 24, 2026, 18:47:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
telegram
santastealer
ip-check
susp-powershell
Indicators:
MD5:

3AE37F7A579D0BB1AAF813F621C4B985

SHA1:

8192E62C294A70143E84EB45B170100166BD39A7

SHA256:

CB72A8EEAA9CDF7716ECC798462D87B17D8D0EDB17B32E067EDFD25E4EB63445

SSDEEP:

6:2OLUxGKmKLqZoVApWEXbmxWrXgnKoAHP9O0mXJLIwOHsrKDz8MKv7:2jGRfIAU+bGWrwzE9O0m58waKyIr7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8840)
      • powershell.exe (PID: 8660)
      • powershell.exe (PID: 8968)
      • powershell.exe (PID: 6732)
      • powershell.exe (PID: 9132)
      • powershell.exe (PID: 6504)
      • powershell.exe (PID: 8116)
      • powershell.exe (PID: 8680)
      • powershell.exe (PID: 7652)
      • powershell.exe (PID: 8996)
      • powershell.exe (PID: 7620)
      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 1116)
      • powershell.exe (PID: 8840)
      • powershell.exe (PID: 9200)
      • powershell.exe (PID: 8304)
      • powershell.exe (PID: 8672)
      • powershell.exe (PID: 7908)
      • powershell.exe (PID: 8432)
      • powershell.exe (PID: 7132)
      • powershell.exe (PID: 2156)
      • powershell.exe (PID: 2880)
      • powershell.exe (PID: 7404)
      • powershell.exe (PID: 3696)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 8616)
      • powershell.exe (PID: 5608)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 6752)

    • Steals credentials from Web Browsers

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Actions looks like stealing of personal data

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Starts POWERSHELL.EXE for commands execution

      • chrome.exe (PID: 2420)

    • Changes powershell execution policy (Bypass)

      • chrome.exe (PID: 2420)
      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Modifies exclusions in Windows Defender

      • reg.exe (PID: 4960)
      • reg.exe (PID: 4344)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 9200)

    • SANTASTEALER has been detected

      • powershell.exe (PID: 9200)
      • svchost.exe (PID: 8620)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 9200)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 9200)

  • SUSPICIOUS

    • Starts CMD.EXE with special quote handling

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 7008)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 6836)
      • cmd.exe (PID: 7960)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8000)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 7008)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 7960)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 6836)
      • cmd.exe (PID: 8000)
      • cmd.exe (PID: 8828)

    • Starts CMD.EXE with AutoRun commands disabled

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 7592)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 7008)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 6836)
      • cmd.exe (PID: 7960)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8000)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • chrome.exe (PID: 2420)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)

    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8904)
      • csc.exe (PID: 8784)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8000)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4956)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 8912)
      • cmd.exe (PID: 5568)
      • cmd.exe (PID: 9124)
      • cmd.exe (PID: 7648)
      • cmd.exe (PID: 4680)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 8280)
      • cmd.exe (PID: 9212)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 8116)
      • cmd.exe (PID: 2876)
      • bytearmor.exe (PID: 1108)
      • cmd.exe (PID: 1652)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 7248)
      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 664)
      • cmd.exe (PID: 8328)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 8644)
      • cmd.exe (PID: 2428)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8000)
      • bytearmor.exe (PID: 8952)

    • Uses WMIC.EXE to obtain data on the base board management (motherboard or system board)

      • cmd.exe (PID: 8072)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 6556)
      • cmd.exe (PID: 7008)

    • Searches for installed software

      • reg.exe (PID: 4960)
      • reg.exe (PID: 8060)

    • Uses REG/REGEDIT.EXE to modify or delete registry entries

      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 7592)
      • powershell.exe (PID: 9200)
      • cmd.exe (PID: 5664)
      • cmd.exe (PID: 6836)

    • Checks screen resolution (probably for evasion)

      • bytearmor.exe (PID: 1108)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 2876)
      • bytearmor.exe (PID: 8952)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8000)

    • Get Monitor Information (POWERSHELL)

      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8000)

    • Get information on the list of running processes

      • bytearmor.exe (PID: 1108)
      • cmd.exe (PID: 8116)
      • bytearmor.exe (PID: 8952)
      • cmd.exe (PID: 8828)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 1116)
      • powershell.exe (PID: 5608)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8840)
      • powershell.exe (PID: 7200)

    • Checks for external IP

      • bytearmor.exe (PID: 1108)
      • svchost.exe (PID: 2232)
      • bytearmor.exe (PID: 8952)

    • Possible stealing from password managers

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Creates file in the systems drive root

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Possible stealing from notes

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • There is functionality for capture public ip (YARA)

      • bytearmor.exe (PID: 1108)

    • Possible stealing from crypto wallets

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Browser headless start

      • chrome.exe (PID: 2420)
      • msedge.exe (PID: 2880)
      • firefox.exe (PID: 1404)
      • msedge.exe (PID: 8128)
      • chrome.exe (PID: 8612)
      • firefox.exe (PID: 9156)

    • Possible stealing of VPN data

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Possible stealing of FTP data

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Possible stealing of messenger data

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • BASE64 encoded PowerShell command has been detected

      • chrome.exe (PID: 2420)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 9200)
      • powershell.exe (PID: 3640)
      • powershell.exe (PID: 3008)
      • powershell.exe (PID: 8940)

    • Uses ATTRIB.EXE to modify file attributes

      • powershell.exe (PID: 9200)

    • Creates scheduled task with ONLOGON parameter

      • powershell.exe (PID: 9200)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 900)
      • schtasks.exe (PID: 5888)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 9200)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 9200)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 9200)

    • The process executes files with name similar to system file names

      • powershell.exe (PID: 9200)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 9200)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 1900)
      • bytearmor.exe (PID: 1108)
      • csc.exe (PID: 8904)
      • bytearmor.exe (PID: 8952)
      • csc.exe (PID: 8784)
      • svchost.exe (PID: 8620)

    • Application launched itself

      • msedge.exe (PID: 5420)

    • Reads the computer name

      • identity_helper.exe (PID: 1900)
      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Reads Environment values

      • identity_helper.exe (PID: 1900)
      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 8212)
      • WMIC.exe (PID: 2828)
      • WMIC.exe (PID: 2204)
      • WMIC.exe (PID: 2828)
      • WMIC.exe (PID: 8672)

    • Reads the machine GUID from the registry

      • bytearmor.exe (PID: 1108)
      • csc.exe (PID: 8904)
      • bytearmor.exe (PID: 8952)
      • csc.exe (PID: 8784)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8840)
      • powershell.exe (PID: 7908)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 8840)
      • powershell.exe (PID: 7908)

    • Search a value from a registry key

      • reg.exe (PID: 4960)
      • cmd.exe (PID: 2300)
      • cmd.exe (PID: 7592)
      • reg.exe (PID: 5988)
      • cmd.exe (PID: 5664)
      • reg.exe (PID: 8060)
      • cmd.exe (PID: 6836)
      • reg.exe (PID: 1352)

    • Reads CPU info

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 9200)

    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 9200)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • powershell.exe (PID: 9200)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 9200)

    • Forces immediate Group Policy refresh

      • gpupdate.exe (PID: 5140)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 9200)

    • Manual execution by a user

      • bytearmor.exe (PID: 8952)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • powershell.exe (PID: 9200)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 9200)

    • Reads product name

      • bytearmor.exe (PID: 1108)
      • bytearmor.exe (PID: 8952)

    • The executable file from the user directory is run by the Powershell process

      • svchost.exe (PID: 8620)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
329
Monitored processes
184
Malicious processes
13
Suspicious processes
52

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs bytearmor.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs chrome.exe msedge.exe firefox.exe #SANTASTEALER powershell.exe conhost.exe no specs msedge.exe attrib.exe no specs attrib.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs gpupdate.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs bytearmor.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs csc.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #SANTASTEALER svchost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe chrome.exe firefox.exe msedge.exe powershell.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
352"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5284,i,11558103796346863911,12493178861551519831,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=7384 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
552"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=1372,i,11558103796346863911,12493178861551519831,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=1688 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664C:\WINDOWS\system32\cmd.exe /d /s /c "powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object Manufacturer | Format-List""C:\Windows\System32\cmd.exebytearmor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
784"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=3812,i,11558103796346863911,12493178861551519831,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=5692 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
900"C:\WINDOWS\system32\schtasks.exe" /create /tn WindowsSystemService /tr C:\Users\admin\AppData\Local\Microsoft\OfficeBroker\svchost.exe /sc onlogon /rl highest /fC:\Windows\System32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1108"C:\Users\admin\AppData\Local\Temp\Rar$EXb8212.13225\Bytearmor_v2.2.1\bytearmor.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb8212.13225\Bytearmor_v2.2.1\bytearmor.exe
WinRAR.exe
User:
admin
Company:
Oven
Integrity Level:
MEDIUM
Description:
Bun
Version:
1.3.13
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb8212.13225\bytearmor_v2.2.1\bytearmor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gdi32.dll
1116powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command "(Get-Process -ErrorAction SilentlyContinue).Count"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3644,i,11558103796346863911,12493178861551519831,262144 --disable-features=HttpsFirstBalancedMode,HttpsFirstModeV2,HttpsOnlyMode,HttpsUpgrades --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1352reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
146 616
Read events
146 559
Write events
44
Delete events
13

Modification events

(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\Bytearmor_v2.2.1.zip
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:15
Value:
(PID) Process:(8564) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\DialogEditHistory\ExtrPath
Operation:delete valueName:14
Value:
Executable files
7
Suspicious files
225
Text files
285
Unknown types
0

Dropped files

PID
Process
Filename
Type
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RFdff5f.TMP
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFdff6f.TMP
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFdff6f.TMP
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFdff6f.TMP
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFdff6f.TMP
MD5:
SHA256:
5420msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
176
TCP/UDP connections
140
DNS requests
101
Threats
75

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8164
msedge.exe
GET
200
2.16.241.201:443
https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json
NL
text
666 Kb
whitelisted
8164
msedge.exe
GET
200
192.178.183.94:443
https://www.gstatic.com/youtube/img/branding/youtubelogo/2x/youtubelogo_50.png
US
image
1.89 Kb
whitelisted
8164
msedge.exe
GET
200
142.251.127.190:443
https://www.youtube.com/img/favicon_32.png
US
image
348 b
whitelisted
8164
msedge.exe
GET
200
52.123.243.193:443
https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeRuntime%2CEdgeRuntimeConfig%2CEdgeDomainActions&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=67&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1779648444&lafgdate=0
US
text
43.5 Kb
whitelisted
8164
msedge.exe
GET
200
192.178.183.94:443
https://www.gstatic.com/youtube/src/web/htdocs/img/search.png
US
image
247 b
whitelisted
8164
msedge.exe
GET
200
150.171.109.100:443
https://xpaywalletcdn.azureedge.net/mswallet/ExpressCheckout/v1/GetGlobalConfig?EdgeChannel=stable&EdgeVersion=133.0.3065.92&ConfigVersion=0
US
text
393 Kb
whitelisted
8164
msedge.exe
GET
200
142.251.127.190:443
https://www.youtube.com/img/favicon.ico
US
image
1.12 Kb
whitelisted
8164
msedge.exe
GET
200
89.124.119.90:443
https://bytearmor.net/assets/css/components.css
unknown
text
8.44 Kb
unknown
8164
msedge.exe
GET
200
89.124.119.90:443
https://bytearmor.net/
unknown
html
42.4 Kb
unknown
8164
msedge.exe
GET
200
89.124.119.90:443
https://bytearmor.net/assets/css/theme.css
unknown
text
2.81 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
680
svchost.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
57.153.246.3:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8164
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8164
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8164
msedge.exe
52.123.243.193:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8164
msedge.exe
142.251.127.190:443
www.youtube.com
GOOGLE
US
whitelisted
8164
msedge.exe
150.171.109.100:443
api.edgeoffer.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 57.153.246.3
  • 48.209.133.15
  • 48.209.138.189
whitelisted
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
google.com
  • 142.251.110.102
  • 142.251.110.101
  • 142.251.110.138
  • 142.251.110.113
  • 142.251.110.139
  • 142.251.110.100
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 52.123.243.193
  • 52.123.243.217
  • 52.123.243.210
  • 52.123.243.94
whitelisted
www.youtube.com
  • 142.251.127.190
  • 142.251.13.190
  • 142.251.110.93
  • 192.178.183.190
  • 142.251.127.93
  • 192.178.183.136
  • 142.251.110.91
  • 192.178.183.91
  • 142.251.13.136
  • 192.178.183.93
  • 142.251.14.93
  • 142.251.13.93
  • 142.251.14.190
  • 142.251.14.91
  • 142.251.13.91
  • 142.251.14.136
whitelisted
api.edgeoffer.microsoft.com
  • 150.171.109.100
whitelisted
copilot.microsoft.com
  • 104.18.22.222
  • 104.18.23.222
whitelisted
www.bing.com
  • 2.16.241.201
  • 2.16.241.205
  • 2.16.241.218
  • 2.16.241.207
  • 184.86.251.27
  • 184.86.251.16
  • 184.86.251.28
  • 184.86.251.30
  • 184.86.251.4
  • 184.86.251.29
  • 184.86.251.5
  • 184.86.251.31
  • 184.86.251.23
whitelisted
www.gstatic.com
  • 192.178.183.94
whitelisted

Threats

PID
Process
Class
Message
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
8164
msedge.exe
Misc activity
ET HUNTING HTTP Permissions-Policy Geolocation Directive Misconfiguration
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbmpHZ09tblp3Qk0tdjBXUWJvMlFLOE1sZmFld3xBQ3Jtc0tseXA2eVVKN2tkcEZzQWpVT0Z0TmV2UWVEUDdwR3BIT1BUUFJiemJINlRVWUtHeDBLV0puM2FlY2JESXJ1dFdGdjNMRUM3VjVhakdQenJCdzZvSzlaX2RXOVRQbzFmTndYNm91VjYxMWdOUWh3TmxiNA&q=https%3A%2F%2Fbytearmor.net%2F&v=yPJo_6mii4Y