File name:

ovrflw.exe

Full analysis: https://app.any.run/tasks/1e75268f-bb25-4b31-afb3-bb17ab715d9f
Verdict: Malicious activity
Analysis date: September 09, 2024, 07:58:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

3ADFC7CF1E296C6FB703991C5233721D

SHA1:

FDDD2877CE7952B91C3F841CA353235D6D8EEA67

SHA256:

6BC23179D079D220337EDE270113D4A474B549F5F0C7FD57F3D33D318F7AE471

SSDEEP:

12288:dfMBR++3UIUMTTRNXrvplM3WNpnG9pJYzMLcUB6C4KTP37FgM4Bl0cC2QlgLFDxe:dfMBR3yyNv3qg+VgEqDx0clRWTw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ovrflw.exe (PID: 3964)

    • XORed URL has been found (YARA)

      • mswabnet.exe (PID: 5692)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • ovrflw.exe (PID: 3964)

    • Reads security settings of Internet Explorer

      • ovrflw.exe (PID: 3964)

    • Executable content was dropped or overwritten

      • ovrflw.exe (PID: 3964)

    • Starts itself from another location

      • ovrflw.exe (PID: 3964)

    • Connects to unusual port

      • mswabnet.exe (PID: 5692)

  • INFO

    • Checks supported languages

      • ovrflw.exe (PID: 3964)
      • mswabnet.exe (PID: 5692)

    • Creates files or folders in the user directory

      • ovrflw.exe (PID: 3964)

    • Reads the computer name

      • ovrflw.exe (PID: 3964)
      • mswabnet.exe (PID: 5692)

    • The process uses the downloaded file

      • ovrflw.exe (PID: 3964)

    • Process checks computer location settings

      • ovrflw.exe (PID: 3964)

    • Reads the machine GUID from the registry

      • mswabnet.exe (PID: 5692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(5692) mswabnet.exe
Decrypted-URLs (3)http://www.google.com/bot.html)
http://www.google.com/bot.html))
http://www.googlebot.com/bot.html)
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2093:02:13 03:03:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1419264
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x15c6ae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Microsoft(C) Network Agent
CompanyName: Microsoft(C)
FileDescription: Microsoft(C) Network Agent
FileVersion: 0.0.0.0
InternalName: ovrflw.exe
LegalCopyright: Microsoft Corporation 2024
LegalTrademarks: -
OriginalFileName: ovrflw.exe
ProductName: Microsoft(C) Network Agent
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ovrflw.exe #XOR-URL mswabnet.exe

Process information

PID
CMD
Path
Indicators
Parent process
3964"C:\Users\admin\Desktop\ovrflw.exe" C:\Users\admin\Desktop\ovrflw.exe
explorer.exe
User:
admin
Company:
Microsoft(C)
Integrity Level:
MEDIUM
Description:
Microsoft(C) Network Agent
Exit code:
4294967295
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\ovrflw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5692"C:\Users\admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe" C:\Users\admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
ovrflw.exe
User:
admin
Company:
Microsoft(C)
Integrity Level:
MEDIUM
Description:
Microsoft(C) Network Agent
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft network agent\mswabnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(5692) mswabnet.exe
Decrypted-URLs (3)http://www.google.com/bot.html)
http://www.google.com/bot.html))
http://www.googlebot.com/bot.html)
Total events
560
Read events
559
Write events
1
Delete events
0

Modification events

(PID) Process:(3964) ovrflw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft Network Agent
Value:
"C:\Users\admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3964ovrflw.exeC:\Users\admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exeexecutable
MD5:3ADFC7CF1E296C6FB703991C5233721D
SHA256:6BC23179D079D220337EDE270113D4A474B549F5F0C7FD57F3D33D318F7AE471
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6872
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6872
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6872
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5692
mswabnet.exe
185.208.158.114:1256
US
unknown
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ovrflw.exe