Windows Analysis Report
PoP8Setup.exe

Overview

General Information

Sample name:	PoP8Setup.exe
Analysis ID:	1431805
MD5:	31bbc34f3ce51ab1c28a63202db9860d
SHA1:	1ed7495f56baab6a0c7e829be2598f3b10ceadf5
SHA256:	2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Compliance

Score:	50
Range:	0 - 100

Signatures

Sigma detected: Files With System Process Name In Unsuspected Locations

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Signatures

Bitcoin Miner

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION pop8win.exe

Compliance

Uses 32bit PE files

Source: PoP8Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDDF1.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDE12.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

Source: C:\Users\user\Desktop\PoP8Setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Readme.txt

Source: PoP8Setup.exe

Static PE information: certificate valid

Source: PoP8Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Uses 32bit PE files

Source: PoP8Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PoP8Setup.exe

Static PE information: Section: .tsustub ZLIB complexity 0.9983809621710527

Source: classification engine

Classification label: sus24.winEXE@2/15@0/0

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Program Files\TSRDDF1.tmp

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

File created: C:\Users\user\AppData\Roaming\Publish or Perish

Source: C:\Users\user\Desktop\PoP8Setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\{F52FCFA9-4085-40C8-DBE6-8066C1FB84A8}

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll

Source: PoP8Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PoP8Setup.exe

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\PoP8Setup.exe

File read: C:\Users\user\Desktop\PoP8Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\PoP8Setup.exe "C:\Users\user\Desktop\PoP8Setup.exe"
Source: unknown	Process created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe "C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe"

Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: userenv.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: version.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wininet.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wldp.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: textshaping.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Users\user\Desktop\PoP8Setup.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\32.0\Common\InstallRoot

Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDDF1.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDE12.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

Source: C:\Users\user\Desktop\PoP8Setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}

Source: PoP8Setup.exe

Static PE information: certificate valid

Source: PoP8Setup.exe

Static file information: File size 2775616 > 1048576

Source: PoP8Setup.exe

Static PE information: Raw size of .tsuarch is bigger than: 0x100000 < 0x26f000

Source: PoP8Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PoP8Setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

PE file contains sections with non-standard names

Source: PoP8Setup.exe	Static PE information: section name: .tsustub
Source: PoP8Setup.exe	Static PE information: section name: .tsuarch

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Readme.txt

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PoP8Setup.exe

Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Screenshots

Network Map

⊘No contacted IP infos

ID:	1431805
Product:	CloudBasic
Start time:	20:00:04
Start date:	25.04.2024
Sample:	PoP8Setup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	31bbc34f3ce51ab1c28a63202db9860d
SHA1:	1ed7495f56baab6a0c7e829be2598f3b10ceadf5
SHA256:	2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	577F05CD683ED0577F6C970EA57129E0	AEDF54A8976F0F8FF5588447C344595E3C468925	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._rb (copy)	PE32+ executable (DLL) (console) x86-64, for MS Windows	577F05CD683ED0577F6C970EA57129E0	AEDF54A8976F0F8FF5588447C344595E3C468925	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	PE32+ executable (DLL) (console) x86-64, for MS Windows	577F05CD683ED0577F6C970EA57129E0	AEDF54A8976F0F8FF5588447C344595E3C468925	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)	PE32+ executable (console) x86-64, for MS Windows	3CAEE90CA6C672DAFE79F68693C0C445	4F359802178154AC6CA11A421B9A3CDC6716345C	39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	PE32+ executable (console) x86-64, for MS Windows	3CAEE90CA6C672DAFE79F68693C0C445	4F359802178154AC6CA11A421B9A3CDC6716345C	39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	13F9E2E97A2A22721124E3567F550344	B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B	FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm	PE32+ executable (GUI) x86-64, for MS Windows	13F9E2E97A2A22721124E3567F550344	B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B	FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4
C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	3302B5D28CB943406F12B1474A9557BA	1646763E8529D0B1AAE06970F159C9DC5B93507F	45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E
C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	PE32 executable (GUI) Intel 80386, for MS Windows	3302B5D28CB943406F12B1474A9557BA	1646763E8529D0B1AAE06970F159C9DC5B93507F	45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Normal, ctime=Thu Apr 25 17:01:02 2024, mtime=Thu Apr 25 17:01:02 2024, atime=Tue Mar 12 12:28:00 2024, length=4117528, window=hide	2624812EC52C28CA8E2A633E0F4FE333	F53242D78B4C13F0A5478AFBC9874A03C2378BF8	9BDC08F716584BA672410529FBD807C35B66FE636644219CF78CA8B62604D34C
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.dat	data	859901059B55462FE0D47AAD3AF6A861	263C5A55D7CAF787F113F54993E9637837AB6081	1A77A4DC0B609B6FEF97C23F1EC71906FD67A612D7844AD423E34649FBB47CEB
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	91101594328BE6A2804C1E00D5A7E235	AF1542372B115D193785E09E4C20C8E9C95D4C70	E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	PE32+ executable (GUI) x86-64, for MS Windows	9A0747DE09BC0FDEF4D21198E61B11BE	39D54CFCECB911A1E03267BBC36817411C7A6E15	FCA03CE1A4539ED221383FFA44491B066447986679D9F577BD60C8A3B0BDAF28
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DFD3D98A85AF042144B999FB21AE3234	9C575EB0F71B8C34E07E6E89E1D99D87846E3A5F	74114E66E593460CE7189233E03FFA1DC77EC95E0D5BED50C291363D4CC2C1E9
C:\Users\user\AppData\Local\Temp\36071EAE.dat	data	7C4C52EA758E6755B20B1AC6D44FB765	E55A7B463C8FDEE8D8D846D506CE7EC6B9A0947E	746E6678666B4B50CC4EE561206D34D849840E38E4F5CCB3FA665A9A2B500C9D
C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	290CD5295D502AF868BB235664645C30	0903EA61C093D49B6AFC61642B3D7BC4EEF3800D	F6DE9A672943D3E68610198D60EF0404CD1660EF42E01D6E9650D711E09D5BD1
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F4B5E1B2AC2086D77715EBA140B4D3C1	DAB4617227A1242372B71F7B278103A3B0859434	DFDEF70967C48DC7B8692D9C2075F8A06CE482B56E6DD901278B10F4F4B6A738
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.ico	MS Windows icon resource - 8 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel	B90F4266176630002A965362083F5DAA	25C4E260A1F7D9FAD00354C97DC414805BC16906	79DA7C4A1DBD6C0D09C30A2025AEC71BC652241F6BA06D7A90F5B47F963B991A
C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	91101594328BE6A2804C1E00D5A7E235	AF1542372B115D193785E09E4C20C8E9C95D4C70	E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6
C:\Users\user\AppData\Local\Temp\PoP8Setup-20240425T200106-Install.log (copy)	Unicode text, UTF-8 (with BOM) text	4E3E90DC698025E90D31FC714AFD0326	BA61BECA0058E7D380CB1D9C160D3BAC02436BE5	0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE
C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log	Unicode text, UTF-8 (with BOM) text	4E3E90DC698025E90D31FC714AFD0326	BA61BECA0058E7D380CB1D9C160D3BAC02436BE5	0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE
C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADDA490CB6BD2E13C4B6A2806660DA9	1135278A087E556C1F403437312BC9EFC16577C0	7EFC29CA14038A7A3D2B8DA54FE3D7AD10C258E7CCCAB6F481EDDE082D6ECEBD

Windows Analysis Report PoP8Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Bitcoin Miner

Compliance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Network Map

Windows Analysis Report
PoP8Setup.exe