File name:

Rover.exe

Full analysis: https://app.any.run/tasks/5fd49cd6-387b-46cb-9de2-f7be1d685905
Verdict: Malicious activity
Analysis date: February 13, 2024, 03:18:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

63D052B547C66AC7678685D9F3308884

SHA1:

A6E42E6A86E3FF9FEC137C52B1086EE140A7B242

SHA256:

8634E9241729F16A8C2C23D5C184384815B97026E3D1A2D6DD0DDC825B142ABA

SSDEEP:

98304:Oapmon4QzApS9hNQdrhEYzOi85kXNjMcDPWDnkE3DJ910Fx5mwAbguuwS09Fo:OQhn5EQ9hNQAYzA5k6cTWDn7JKObS09u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • Rover.exe (PID: 3772)

    • Drops the executable file immediately after the start

      • Rover.exe (PID: 3772)

    • UAC/LUA settings modification

      • Rover.exe (PID: 3772)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Rover.exe (PID: 3772)

  • INFO

    • Checks supported languages

      • Rover.exe (PID: 3772)

    • Process checks whether UAC notifications are on

      • Rover.exe (PID: 3772)

    • Creates files in the program directory

      • Rover.exe (PID: 3772)

    • Reads the machine GUID from the registry

      • Rover.exe (PID: 3772)

    • Reads the computer name

      • Rover.exe (PID: 3772)

    • Creates files or folders in the user directory

      • Rover.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 5268992
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Desktop Assistant
CompanyName: -
FileDescription: Rover The Desktop Assistant (beta version)
FileVersion: 1.0.0.0
InternalName: Rover.exe
LegalCopyright: Copyright © 2023
LegalTrademarks: -
OriginalFileName: Rover.exe
ProductName: Created by CYBER SOLDIER aka Clutter
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rover.exe rover.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Users\admin\Desktop\Rover.exe" C:\Users\admin\Desktop\Rover.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Rover The Desktop Assistant (beta version)
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rover.exe
c:\windows\system32\ntdll.dll
3772"C:\Users\admin\Desktop\Rover.exe" C:\Users\admin\Desktop\Rover.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Rover The Desktop Assistant (beta version)
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rover.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
754
Read events
735
Write events
19
Delete events
0

Modification events

(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:lang
Value:
English (EN)
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:FilterAdministratorToken
Value:
1
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:username
Value:
"nickname"
(PID) Process:(3772) Rover.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, C:\Program Files\rover\rover.exe
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:tts_vol
Value:
50
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:tts_rate
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_red
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_green
Value:
0
(PID) Process:(3772) Rover.exeKey:HKEY_CURRENT_USER\Software\rover
Operation:writeName:filter_blue
Value:
0
Executable files
1
Suspicious files
12
Text files
496
Unknown types
4

Dropped files

PID
Process
Filename
Type
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.005.pngimage
MD5:4568226931D995534E249F402AF4825A
SHA256:C1EF483BBF4DA565D3445A48A81B77B2DB2257AFD39C9B17B67E2E0277CFA24B
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.006.pngimage
MD5:3D8699EC82F73E244B078D9F16BDAC5C
SHA256:B1F9AE224B7B7988E6FF76C9A951609BA88290B79BC295F015186495E693479F
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.003.pngimage
MD5:CF62C5107B66367690832F72854BFFAE
SHA256:075B30FC4D1997D1826148D9A98DBE3A6B06EA53862FD2C453F5D6AD8C288E62
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.009.pngimage
MD5:571AFD578CFAEF347A6052AFE253461B
SHA256:6CC53BAC0224FEADA9FE44E4FF957EC187709858A07158EE6FF0B84A604D7110
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.015.pngimage
MD5:DA259A8B6C3CC0E31F5A3E3FF2EC9857
SHA256:4839100A04F859F3450955DBA13094B2BD6B1893F6BAF075882DE54800BD3A9E
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.017.pngimage
MD5:11EE4D7CE2DF00CD58DC877817CC592C
SHA256:287A0412441F0AE40DCFBC8A6444E34379295FD017B807D1AABE7D7FDFBE96B2
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.014.pngimage
MD5:BD65E98C40A77188E231F2E89B224A7D
SHA256:8A22BDC7116DE7970BB06E2124B5336CF3BC488310E4D796021D01CF378A4A1D
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.001.pngimage
MD5:AA84C45293EF08A7A64DB8F5D12B5DD0
SHA256:8178152F670855DD0CB4412494C80B854A164EE02922A112DA4266AF53F9195D
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.008.pngimage
MD5:B3F53C1DC286776CF34641C7B8256DFA
SHA256:43C42124AE7D35D7ACDEAFDBB16A890B4667B4089920810FBFD1CC19AB9AEFCA
3772Rover.exeC:\Program Files\rover\Ashamed\Ashamed.007.pngimage
MD5:72685D7C7CC4C77E20618264B4150331
SHA256:B67E7613906632BC3F8AEC7541F2D99FB73C9406183699F9EAB3D97952AEB81B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Rover.exe