File name:

Publish-or-Perish-8.9.4554.exe

Full analysis: https://app.any.run/tasks/848afb44-dc0e-4c12-a34c-149d6ed8b262
Verdict: Malicious activity
Analysis date: February 09, 2024, 11:57:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C6BFECE49E4A232B1269CCDDD3BDB51B

SHA1:

BAD23757E9B1772044291F7B1C70D11F5B8CCA5C

SHA256:

439376954E942602A4045C50D9DA6BAFB73611D5598A53ACF8C6FEF2CA6F9323

SSDEEP:

98304:X4xZEXvYVF0WQ9/dqq5aRIWJKJdj07b6M9PQw5928o6+ZXuGM89DbqJnFK0S6jRD:Ys+9H35

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Process drops legitimate windows executable

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Creates a software uninstall entry

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Reads the Internet Settings

      • pop8win.exe (PID: 864)

    • Changes Internet Explorer settings (feature browser emulation)

      • pop8win.exe (PID: 864)

  • INFO

    • Checks supported languages

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)
      • pop8win.exe (PID: 864)

    • Reads the computer name

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)
      • pop8win.exe (PID: 864)

    • Reads Microsoft Office registry keys

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Create files in a temporary directory

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)
      • pop8win.exe (PID: 864)

    • Reads Environment values

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)
      • pop8win.exe (PID: 864)

    • Reads the machine GUID from the registry

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)
      • pop8win.exe (PID: 864)

    • Creates files in the program directory

      • Publish-or-Perish-8.9.4554.exe (PID: 3772)

    • Manual execution by a user

      • pop8win.exe (PID: 864)

    • Creates files or folders in the user directory

      • pop8win.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:08 10:10:25+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 8192
InitializedDataSize: 2411008
UninitializedDataSize: -
EntryPoint: 0x15ad
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2023.11.16.1214
ProductVersionNumber: 8.9.4554.8721
FileFlagsMask: 0x003f
FileFlags: Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Harzing's Publish or Perish
ProductVersion: 8.9.4554.8721
CompanyName: Tarma Software Research Ltd
LegalCopyright: (c) 1990-2023 Tarma Software Research Ltd
Email: -
WebSite: https://harzing.com
FileDescription: Installer for Harzing's Publish or Perish
FileVersion: 2023.11.16.1214
OriginalFileName: PoP8Setup.exe
InternalName: TSULoader
Comments: WinNT (x86) Unicode Lib Rel
ProductCode: {D7808C1C-93A9-4369-8385-A789888ED9D7}
PackageCode: {F4D45BF5-4BE7-4EEF-D5C1-8B04C00010F4}
Arguments: -
SpecialBuild: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start publish-or-perish-8.9.4554.exe pop8win.exe no specs publish-or-perish-8.9.4554.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
864"C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe" C:\Program Files\Harzing's Publish or Perish 8\pop8win.exeexplorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
MEDIUM
Description:
Harzing's Publish or Perish (Windows GUI Edition)
Exit code:
0
Version:
2023.11.16.1208
Modules
Images
c:\program files\harzing's publish or perish 8\pop8win.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
3240"C:\Users\admin\AppData\Local\Temp\Publish-or-Perish-8.9.4554.exe" C:\Users\admin\AppData\Local\Temp\Publish-or-Perish-8.9.4554.exeexplorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
MEDIUM
Description:
Installer for Harzing's Publish or Perish
Exit code:
3221226540
Version:
2023.11.16.1214
Modules
Images
c:\users\admin\appdata\local\temp\publish-or-perish-8.9.4554.exe
c:\windows\system32\ntdll.dll
3772"C:\Users\admin\AppData\Local\Temp\Publish-or-Perish-8.9.4554.exe" C:\Users\admin\AppData\Local\Temp\Publish-or-Perish-8.9.4554.exe
explorer.exe
User:
admin
Company:
Tarma Software Research Ltd
Integrity Level:
HIGH
Description:
Installer for Harzing's Publish or Perish
Exit code:
0
Version:
2023.11.16.1214
Modules
Images
c:\users\admin\appdata\local\temp\publish-or-perish-8.9.4554.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
1 873
Read events
1 836
Write events
29
Delete events
8

Modification events

(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
BC0E000028EC09244F5BDA01
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
FCBCCD5A71F2E11D2214AE143485F1BBF3EEFFC05EE42742BB48136AB65BA8B1
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:UninstallString
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /remove /q0
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:QuietUninstallString
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /remove /q
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:ModifyPath
Value:
C:\PROGRA~2\UNINST~1\{D7808~1\Setup.exe /q0
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:Version
Value:
134812106
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:VersionMajor
Value:
8
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:VersionMinor
Value:
9
(PID) Process:(3772) Publish-or-Perish-8.9.4554.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}
Operation:writeName:EstimatedSize
Value:
4559
Executable files
19
Suspicious files
1
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
3772Publish-or-Perish-8.9.4554.exeC:\Users\admin\AppData\Local\Temp\TsuDA3E1A0E.dllexecutable
MD5:82D040BD8566271861DACD6CB7B7072B
SHA256:491B00BB02A686A1CDC8B54B89FA2836A30C091A3C07013C7FAB354EBFF4B6EB
3772Publish-or-Perish-8.9.4554.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Readme.txttext
MD5:BFD7A7689CA53FF9CA66C96305803B5D
SHA256:4A0FD36ED6936302CE603ED8BA86E676ACCC9CDFE41989D4CED0D452434B29E0
3772Publish-or-Perish-8.9.4554.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\_Setup.dllexecutable
MD5:26194C692965D215B3AE641E34A46776
SHA256:50F4858D53596DEA17C2647BA1B3BA6081BD9F0394BB042315E04874F2FC0A39
3772Publish-or-Perish-8.9.4554.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exeexecutable
MD5:58AA0689933BE3443EF01ADD0B265052
SHA256:9080728A5A59E5BC3741EA58C7D59777D65D66197084259D8379FF156CC30722
3772Publish-or-Perish-8.9.4554.exeC:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exeexecutable
MD5:6975DC28D43E267190A68E47C7E231B3
SHA256:D23FC128137B9F25DC5A0B1AC6AF9512004CFFC3B73822ED2CD09DB230FBDE8E
3772Publish-or-Perish-8.9.4554.exeC:\Program Files\Harzing's Publish or Perish 8\twux.exeexecutable
MD5:3302B5D28CB943406F12B1474A9557BA
SHA256:45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E
3772Publish-or-Perish-8.9.4554.exeC:\Users\admin\AppData\Local\Temp\A17DBD5C\_Setup.dllexecutable
MD5:26194C692965D215B3AE641E34A46776
SHA256:50F4858D53596DEA17C2647BA1B3BA6081BD9F0394BB042315E04874F2FC0A39
3772Publish-or-Perish-8.9.4554.exeC:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tmexecutable
MD5:19967D8276F25553D43D4E0366639AD9
SHA256:C1F77E3F10229C4C3E753FFE6A4835EED2954B37FED8244B3C9745CA11B5002F
3772Publish-or-Perish-8.9.4554.exeC:\Program Files\Harzing's Publish or Perish 8\pop8win.exeexecutable
MD5:19967D8276F25553D43D4E0366639AD9
SHA256:C1F77E3F10229C4C3E753FFE6A4835EED2954B37FED8244B3C9745CA11B5002F
3772Publish-or-Perish-8.9.4554.exeC:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tmexecutable
MD5:3440902C29036BB2F23DEFB78CB55902
SHA256:440E3C5BF93AFA5BFCB973B5E00311DBC3B9D542D6062CBC02A7DC51825356BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Publish-or-Perish-8.9.4554.exe