File name:

Electron.exe

Full analysis: https://app.any.run/tasks/2dd9afbc-930a-4e4e-b1e0-7139e5593d2f
Verdict: Malicious activity
Analysis date: October 29, 2023, 09:56:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

28564F4FBB6558373CBB82469EF2587D

SHA1:

2C8F089DF7A8D2DFCE7C4C29AF2DB6EDA5940D80

SHA256:

E9F944AB296BCAA235EB584D6B7FA2811FC1A0F3BC2596A99675CDD114CDFCF5

SSDEEP:

98304:xkKnhd6yuxhRsHHfrIHj8yBzAziXOhhFaD:mEhoyuEHcjJBzAzJhhFaD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Electron.exe (PID: 3328)

    • Loads dropped or rewritten executable

      • WerFault.exe (PID: 1920)

    • The DLL Hijacking

      • WerFault.exe (PID: 1920)

  • SUSPICIOUS

    • Reads the BIOS version

      • Electron.exe (PID: 3328)

    • Process drops legitimate windows executable

      • Electron.exe (PID: 3328)

    • Reads the Internet Settings

      • Electron.exe (PID: 3328)
      • WerFault.exe (PID: 1920)

  • INFO

    • Process checks are UAC notifies on

      • Electron.exe (PID: 3328)

    • Checks supported languages

      • Electron.exe (PID: 3328)

    • Create files in a temporary directory

      • Electron.exe (PID: 3328)
      • WerFault.exe (PID: 1920)

    • Reads the computer name

      • Electron.exe (PID: 3328)

    • Reads the machine GUID from the registry

      • Electron.exe (PID: 3328)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 1920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2103:09:18 14:54:14+02:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 1021440
InitializedDataSize: 130048
UninitializedDataSize: -
EntryPoint: 0x71c058
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Electron UI V2 NEW
CompanyName: ryos.lol
FileDescription: Electron
FileVersion: 1.0.0.0
InternalName: Electron.exe
LegalCopyright: Copyright ryos.lol © 2021
LegalTrademarks: -
OriginalFileName: Electron.exe
ProductName: Electron
ProductVersion: 1.0.0.0
AssemblyVersion: 1.1.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start electron.exe wisptis.exe no specs wisptis.exe no specs werfault.exe electron.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1920C:\Windows\system32\WerFault.exe -u -p 3328 -s 1352C:\Windows\System32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
2752"C:\Users\admin\AppData\Local\Temp\Electron.exe" C:\Users\admin\AppData\Local\Temp\Electron.exeexplorer.exe
User:
admin
Company:
ryos.lol
Integrity Level:
MEDIUM
Description:
Electron
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\electron.exe
c:\windows\system32\ntdll.dll
3328"C:\Users\admin\AppData\Local\Temp\Electron.exe" C:\Users\admin\AppData\Local\Temp\Electron.exe
explorer.exe
User:
admin
Company:
ryos.lol
Integrity Level:
HIGH
Description:
Electron
Exit code:
3489660927
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\users\admin\appdata\local\temp\electron.exe
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
3632"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeElectron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
3916"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeElectron.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wisptis.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
828
Read events
813
Write events
15
Delete events
0

Modification events

(PID) Process:(3328) Electron.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(3328) Electron.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3328) Electron.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3328) Electron.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3328) Electron.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3916) wisptis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Electron.exe
(PID) Process:(1920) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug
Operation:writeName:ExceptionRecord
Value:
050000C0000000000000000038FC9E000200000001000000F0FF75147F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000
(PID) Process:(1920) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
Operation:writeName:FirstLevelConsentDialog
Value:
7603050000000000
(PID) Process:(1920) WerFault.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
Operation:writeName:FirstLevelConsentDialog
Value:
7603050000000000
(PID) Process:(1920) WerFault.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Debug
Operation:writeName:StoreLocation
Value:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aga.exe_575d27748bed99d4b86af634c449069286266ed_cab_0eb6c86c
Executable files
3
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1920WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Electron.exe_ac8b4888fa2308dba7ecdecca156e275f604589_cab_079ed86c\Report.wer
MD5:
SHA256:
3328Electron.exeC:\Users\admin\AppData\Local\Temp\Microsoft.Web.WebView2.Wpf.dllexecutable
MD5:240BD782A3480DEE44DBB4632DDC7240
SHA256:034872CE8A62BD5D7BC1627058CB0B16435E895E398EA5AD0D6B0114B4EEDFFA
1920WerFault.exeC:\Users\admin\AppData\Local\Temp\WERCAEF.tmp.WERInternalMetadata.xmlxml
MD5:EE231F28135D513B7E535320D9DE7054
SHA256:FB04E6BFDFB8AF68E045E47572081875892ECA7FDC09899FCDE68AFCF3D5908F
3328Electron.exeC:\Users\admin\AppData\Local\Temp\WebView2Loader.dllexecutable
MD5:5B17DA9ADFC5A07FA499DDED4FD52747
SHA256:9D5918CEC81470225BE7478C7E092C24F248E8CAA824D667FB57431CAD94BE71
1920WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Electron.exe_ac8b4888fa2308dba7ecdecca156e275f604589_cab_079ed86c\WERCD22.tmp.appcompat.txtxml
MD5:875D61B32AF26F8C388FDBE1A81CF0C1
SHA256:18F7F8933F7BFD8DE5C0405DC7E45B8DB04634DC69938AD0FCAE71D4B97E0DFB
1920WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Electron.exe_ac8b4888fa2308dba7ecdecca156e275f604589_cab_079ed86c\WERCAEF.tmp.WERInternalMetadata.xmlxml
MD5:EE231F28135D513B7E535320D9DE7054
SHA256:FB04E6BFDFB8AF68E045E47572081875892ECA7FDC09899FCDE68AFCF3D5908F
1920WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Electron.exe_ac8b4888fa2308dba7ecdecca156e275f604589_cab_079ed86c\WERD86F.tmp.WERDataCollectionFailure.txttext
MD5:2BDBD13D3D47BC99379A84C907B3E60B
SHA256:80DE34B8CEB540917EE303CF59AD47C2414259A89F74138927A7D4459CFCB9F2
3328Electron.exeC:\Users\admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dllexecutable
MD5:F342D254FDD33E76B2FD6A3F8B517DE3
SHA256:8CCDE337ED97230A54E20DB8608E3E74E6DBE3F4D153846A07484C2FA5AE596A
1920WerFault.exeC:\Users\admin\AppData\Local\Temp\WERCD22.tmp.appcompat.txtxml
MD5:4EAE33B16B36BD6FB8732583FE6248A4
SHA256:255C14C235B01F3FEFF35682AF7C46093A2EE78A338D2A06C521F0E4D5FA7E19
1920WerFault.exeC:\Users\admin\AppData\Local\Temp\WERCF46.tmp.hdmpbinary
MD5:9C57D45800916E0E0AA935C8235D0072
SHA256:2CAA3832501C4F8E46368DE275267B808D7A06A0A8D66B11CB26D71CDFD2CF05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1920
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

No threats detected
Process
Message
WerFault.exe
ReadProcessMemory failed while trying to read PebBaseAddress
WerFault.exe
Failed to read the peb from the process
WerFault.exe
WerFault.exe
Error -
WerFault.exe
Error -
WerFault.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Electron.exe