File name:

mwbyte.exe

Full analysis: https://app.any.run/tasks/9fbfe678-5186-4cb1-b9d4-b0e0c5bb19c3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 22, 2025, 17:32:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
ims-api
generic
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 6 sections
MD5:

8895772E36D7B2CD0151B3351202D67B

SHA1:

0C452149D476C71023CE35C4CA8BEB074278EA84

SHA256:

C47F60D15CEBDE6F694B909AFD11394EE3F2E64AF29A97C03680A790703D0DE9

SSDEEP:

98304:0UuClEzPRerQxrpvae8Jh8190l+PEkKV+4Yg8liaXeICD80SxmM9qcQReLFtibsf:EFZB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • mwbyte.exe (PID: 6388)

  • SUSPICIOUS

    • Reads the BIOS version

      • mwbyte.exe (PID: 6388)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • mwbyte.exe (PID: 6388)

    • Executes application which crashes

      • mwbyte.exe (PID: 6388)

  • INFO

    • Checks supported languages

      • mwbyte.exe (PID: 6388)

    • Reads the software policy settings

      • WerFault.exe (PID: 6724)

    • Checks proxy server information

      • WerFault.exe (PID: 6724)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6724)

    • Themida protector has been detected

      • mwbyte.exe (PID: 6388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6388) mwbyte.exe
Discord-Webhook-Tokens (1)1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
Discord-Info-Links
1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
Get Webhook Infohttps://discord.com/api/webhooks/1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:14 17:27:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.42
CodeSize: 418304
InitializedDataSize: 109568
UninitializedDataSize: -
EntryPoint: 0x4c3000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mwbyte.exe conhost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6388"C:\Users\admin\Desktop\mwbyte.exe" C:\Users\admin\Desktop\mwbyte.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\mwbyte.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
ims-api
(PID) Process(6388) mwbyte.exe
Discord-Webhook-Tokens (1)1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
Discord-Info-Links
1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
Get Webhook Infohttps://discord.com/api/webhooks/1339998726902644836/u-lXyTL4D5WI4GqEOhxDsZfprA2tFXCQ4vXzLzgk-RF1WivjFhXkuM9_8SO_ppj24gkS
6396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exemwbyte.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6724C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6388 -s 584C:\Windows\SysWOW64\WerFault.exe
mwbyte.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
6 586
Read events
6 586
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mwbyte.exe_736e5b9a0f168c463c7e90d176644a13c6e866_41cc1085_2e35a01a-b998-45ab-830e-ba1ddc181a32\Report.wer
MD5:
SHA256:
6724WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\mwbyte.exe.6388.dmp
MD5:
SHA256:
6724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER93D7.tmp.dmpbinary
MD5:82163107F0CDF186BC2DA2C0F28EF7B2
SHA256:F892031B28C261D48ED545FDBE2793DEA6436EDB63C82618DC746C1DC614D0D6
6724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER955F.tmp.xmlxml
MD5:5C11A3D9CCA01B2C15CEC79C213151B4
SHA256:8F1420E4586847F73495FEF78940366739D19BA125DB041AE9069A3B71836BAA
6724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER9501.tmp.WERInternalMetadata.xmlbinary
MD5:7AA0C11AA818EC39BE5AAF91B40F2398
SHA256:9AAFDC29D70B0589445446D6F9DD7C743D2231C8E2D60293FD4F4FD6EFCB11BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.183:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
184.86.251.17:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.183:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6724
WerFault.exe
20.189.173.22:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5064
SearchApp.exe
184.86.251.17:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5448
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2164
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 184.86.251.17
  • 184.86.251.19
  • 184.86.251.27
  • 184.86.251.21
  • 184.86.251.20
  • 184.86.251.22
  • 184.86.251.9
  • 184.86.251.13
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.48.23.183
  • 23.48.23.190
  • 23.48.23.182
  • 23.48.23.179
  • 23.48.23.137
  • 23.48.23.192
  • 23.48.23.189
  • 23.48.23.195
  • 23.48.23.191
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.22
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

No threats detected
Process
Message
mwbyte.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
mwbyte.exe