File name:

PoP8Setup.exe

Full analysis: https://app.any.run/tasks/66be4f22-4521-401b-9753-3dccfe979338
Verdict: Malicious activity
Analysis date: February 20, 2024, 08:03:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C6BFECE49E4A232B1269CCDDD3BDB51B

SHA1:

BAD23757E9B1772044291F7B1C70D11F5B8CCA5C

SHA256:

439376954E942602A4045C50D9DA6BAFB73611D5598A53ACF8C6FEF2CA6F9323

SSDEEP:

98304:X4xZEXvYVF0WQ9/dqq5aRIWJKJdj07b6M9PQw5928o6+ZXuGM89DbqJnFK0S6jRD:Ys+9H35

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PoP8Setup.exe (PID: 2840)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PoP8Setup.exe (PID: 2840)

    • The process creates files with name similar to system file names

      • PoP8Setup.exe (PID: 2840)

    • Process drops legitimate windows executable

      • PoP8Setup.exe (PID: 2840)

    • Creates a software uninstall entry

      • PoP8Setup.exe (PID: 2840)

    • Changes Internet Explorer settings (feature browser emulation)

      • pop8win.exe (PID: 2120)

    • Reads the Internet Settings

      • pop8win.exe (PID: 2120)

  • INFO

    • Create files in a temporary directory

      • PoP8Setup.exe (PID: 2840)
      • pop8win.exe (PID: 2120)

    • Checks supported languages

      • PoP8Setup.exe (PID: 2840)
      • pop8win.exe (PID: 2120)

    • Reads Environment values

      • PoP8Setup.exe (PID: 2840)
      • pop8win.exe (PID: 2120)

    • Reads the machine GUID from the registry

      • PoP8Setup.exe (PID: 2840)
      • pop8win.exe (PID: 2120)

    • Reads Microsoft Office registry keys

      • PoP8Setup.exe (PID: 2840)

    • Creates files in the program directory

      • PoP8Setup.exe (PID: 2840)

    • Reads the computer name

      • PoP8Setup.exe (PID: 2840)
      • pop8win.exe (PID: 2120)

    • Manual execution by a user

      • pop8win.exe (PID: 2120)

    • Creates files or folders in the user directory

      • pop8win.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:08 10:10:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 8192
InitializedDataSize: 2411008
UninitializedDataSize: -
EntryPoint: 0x15ad
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2023.11.16.1214
ProductVersionNumber: 8.9.4554.8721
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Harzing's Publish or Perish
ProductVersion: 8.9.4554.8721
CompanyName: Tarma Software Research Ltd
LegalCopyright: (c) 1990-2023 Tarma Software Research Ltd
Email: -
WebSite: https://harzing.com
FileDescription: Installer for Harzing's Publish or Perish
FileVersion: 2023.11.16.1214
OriginalFileName: PoP8Setup.exe
InternalName: TSULoader
Comments: WinNT (x86) Unicode Lib Rel
ProductCode: {D7808C1C-93A9-4369-8385-A789888ED9D7}
PackageCode: {F4D45BF5-4BE7-4EEF-D5C1-8B04C00010F4}
Arguments: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pop8setup.exe pop8win.exe no specs pop8setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2120"C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe" C:\Program Files\Harzing's Publish or Perish 8\pop8win.exeexplorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
MEDIUM
Description:
Harzing's Publish or Perish (Windows GUI Edition)
Exit code:
0
Version:
2023.11.16.1208
Modules
Images
c:\program files\harzing's publish or perish 8\pop8win.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2840"C:\Users\admin\AppData\Local\Temp\PoP8Setup.exe" C:\Users\admin\AppData\Local\Temp\PoP8Setup.exe
explorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
HIGH
Description:
Installer for Harzing's Publish or Perish
Exit code:
0
Version:
2023.11.16.1214
Modules
Images
c:\users\admin\appdata\local\temp\pop8setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3652"C:\Users\admin\AppData\Local\Temp\PoP8Setup.exe" C:\Users\admin\AppData\Local\Temp\PoP8Setup.exeexplorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
MEDIUM
Description:
Installer for Harzing's Publish or Perish
Exit code:
3221226540
Version:
2023.11.16.1214
Modules
Images
c:\users\admin\appdata\local\temp\pop8setup.exe
c:\windows\system32\ntdll.dll
Total events
1 873
Read events
1 836
Write events
29
Delete events
8

Modification events

(PID) Process:(2840) PoP8Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
180B00008EECFE40D363DA01
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
1E3251B73168098CE4DC58CA5BCC15B4E34D95D26A4B876E5A66E47A1CFC90A0
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:UninstallString
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /remove /q0
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:QuietUninstallString
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /remove /q
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:ModifyPath
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /q0
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:Version
Value:
134812106
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:VersionMajor
Value:
8
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:VersionMinor
Value:
9
(PID) Process:(2840) PoP8Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:EstimatedSize
Value:
4559
Executable files
19
Suspicious files
2
Text files
6
Unknown types
2

Dropped files

PID
Process
Filename
Type
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\0DE93F5C\_Setup.dllexecutable
MD5:26194C692965D215B3AE641E34A46776
SHA256:50F4858D53596DEA17C2647BA1B3BA6081BD9F0394BB042315E04874F2FC0A39
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\0DE93F5C\Setup.exeexecutable
MD5:A0531C8B0812F06157B0174E6693EF7F
SHA256:C8FC2E03C7F788EB73E1C8C1B74065CC1AAD72C32E9F82CDF1C4A77B31D91E90
2840PoP8Setup.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dllexecutable
MD5:82D040BD8566271861DACD6CB7B7072B
SHA256:491B00BB02A686A1CDC8B54B89FA2836A30C091A3C07013C7FAB354EBFF4B6EB
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\0DE93F5C\Setup.icoimage
MD5:B90F4266176630002A965362083F5DAA
SHA256:79DA7C4A1DBD6C0D09C30A2025AEC71BC652241F6BA06D7A90F5B47F963B991A
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\0DE93F5C.datbinary
MD5:83B70EC6D6B01719CB1565DD339C0570
SHA256:3CF90A35238F3C70F3503CAD1ECCCD1F80217EC1F045B60EF6120EE92C14A6C0
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\TsuBF332708.dllexecutable
MD5:82D040BD8566271861DACD6CB7B7072B
SHA256:491B00BB02A686A1CDC8B54B89FA2836A30C091A3C07013C7FAB354EBFF4B6EB
2840PoP8Setup.exeC:\Users\admin\AppData\Local\Temp\0DE93F5C\Readme.txttext
MD5:BFD7A7689CA53FF9CA66C96305803B5D
SHA256:4A0FD36ED6936302CE603ED8BA86E676ACCC9CDFE41989D4CED0D452434B29E0
2840PoP8Setup.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\_Setup.dllexecutable
MD5:26194C692965D215B3AE641E34A46776
SHA256:50F4858D53596DEA17C2647BA1B3BA6081BD9F0394BB042315E04874F2FC0A39
2840PoP8Setup.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.icoimage
MD5:B90F4266176630002A965362083F5DAA
SHA256:79DA7C4A1DBD6C0D09C30A2025AEC71BC652241F6BA06D7A90F5B47F963B991A
2840PoP8Setup.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.exeexecutable
MD5:A0531C8B0812F06157B0174E6693EF7F
SHA256:C8FC2E03C7F788EB73E1C8C1B74065CC1AAD72C32E9F82CDF1C4A77B31D91E90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PoP8Setup.exe