Edit tour

Windows Analysis Report
PoP8Setup.exe

Overview

General Information

Sample name:	PoP8Setup.exe
Analysis ID:	1431805
MD5:	31bbc34f3ce51ab1c28a63202db9860d
SHA1:	1ed7495f56baab6a0c7e829be2598f3b10ceadf5
SHA256:	2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Compliance

Score:	50
Range:	0 - 100

Signatures

Sigma detected: Files With System Process Name In Unsuspected Locations

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64_ra

PoP8Setup.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\PoP8Setup.exe" MD5: 31BBC34F3CE51AB1C28A63202DB9860D)

pop8win.exe (PID: 7128 cmdline: "C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe" MD5: 13F9E2E97A2A22721124E3567F550344)

cleanup

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\PoP8Setup.exe, ProcessId: 7028, TargetFilename: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Bitcoin Miner

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION pop8win.exe

Compliance

Uses 32bit PE files

Source: PoP8Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDDF1.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDE12.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

Creates a software uninstall entry

Source: C:\Users\user\Desktop\PoP8Setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}

Creates install or setup log file

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

Creates license or readme file

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Readme.txt

PE / OLE file has a valid certificate

Source: PoP8Setup.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PoP8Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

System Summary

Uses 32bit PE files

Source: PoP8Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PoP8Setup.exe

Static PE information: Section: .tsustub ZLIB complexity 0.9983809621710527

Source: classification engine

Classification label: sus24.winEXE@2/15@0/0

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Program Files\TSRDDF1.tmp

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

File created: C:\Users\user\AppData\Roaming\Publish or Perish

Source: C:\Users\user\Desktop\PoP8Setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\{F52FCFA9-4085-40C8-DBE6-8066C1FB84A8}

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll

Source: PoP8Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PoP8Setup.exe

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\PoP8Setup.exe

File read: C:\Users\user\Desktop\PoP8Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\PoP8Setup.exe "C:\Users\user\Desktop\PoP8Setup.exe"
Source: unknown	Process created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe "C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe"

Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: msftedit.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: windows.globalization.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: globinputhost.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: d3d11.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dcomp.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dxgi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: cscapi.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: dxcore.dll
Source: C:\Users\user\Desktop\PoP8Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: userenv.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: version.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wininet.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wldp.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: textshaping.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll
Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Uses Rich Edit Controls

Source: C:\Users\user\Desktop\PoP8Setup.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\PoP8Setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\32.0\Common\InstallRoot

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDDF1.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\TSRDE12.tmp
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
Source: C:\Users\user\Desktop\PoP8Setup.exe	Directory created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

Creates a software uninstall entry

Source: C:\Users\user\Desktop\PoP8Setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}

PE / OLE file has a valid certificate

Source: PoP8Setup.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: PoP8Setup.exe

Static file information: File size 2775616 > 1048576

PE file has a big raw section

Source: PoP8Setup.exe

Static PE information: Raw size of .tsuarch is bigger than: 0x100000 < 0x26f000

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PoP8Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: PoP8Setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

PE file contains sections with non-standard names

Source: PoP8Setup.exe	Static PE information: section name: .tsustub
Source: PoP8Setup.exe	Static PE information: section name: .tsuarch

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

Creates license or readme file

Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
Source: C:\Users\user\Desktop\PoP8Setup.exe	File created: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Readme.txt

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\PoP8Setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\PoP8Setup.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\PoP8Setup.exe	Dropped PE file which has not been started: C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm	Jump to dropped file

Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\PoP8Setup.exe	File Volume queried: C:\ FullSizeInformation

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PoP8Setup.exe

Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	13 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 Process Injection	1 Modify Registry	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PoP8Setup.exe	0%	ReversingLabs
PoP8Setup.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll	4%	Virustotal	Browse
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)	0%	ReversingLabs
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)	0%	Virustotal	Browse
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)	0%	ReversingLabs
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)	0%	Virustotal	Browse
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)	0%	ReversingLabs
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)	0%	Virustotal	Browse
C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)	0%	ReversingLabs
C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)	0%	Virustotal	Browse
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe	0%	Virustotal	Browse
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe	3%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431805
Start date and time:	2024-04-25 20:00:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	PoP8Setup.exe
Detection:	SUS
Classification:	sus24.winEXE@2/15@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	577F05CD683ED0577F6C970EA57129E0
SHA1:	AEDF54A8976F0F8FF5588447C344595E3C468925
SHA-256:	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
SHA-512:	2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....c.........." .....B..........`D..............................................g.....`A....................................................(............@.......D...'..........4...T.......................(....a..8.......................`....................text...5A.......B.................. ..`.rdata.......`.......F..............@..@.data........ ......................@....pdata.......@......................@..@.00cfg..(....`......................@..@.gxfg...p....p......................@..@.retplne\................................tls.................0..............@....voltbl.D............2.................._RDATA...............4..............@..@.rsrc................6..............@..@.reloc...............<..............@..B........................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._rb (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	577F05CD683ED0577F6C970EA57129E0
SHA1:	AEDF54A8976F0F8FF5588447C344595E3C468925
SHA-256:	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
SHA-512:	2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047
Malicious:	false
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....c.........." .....B..........`D..............................................g.....`A....................................................(............@.......D...'..........4...T.......................(....a..8.......................`....................text...5A.......B.................. ..`.rdata.......`.......F..............@..@.data........ ......................@....pdata.......@......................@..@.00cfg..(....`......................@..@.gxfg...p....p......................@..@.retplne\................................tls.................0..............@....voltbl.D............2.................._RDATA...............4..............@..@.rsrc................6..............@..@.reloc...............<..............@..B........................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158648
Entropy (8bit):	6.175093839791051
Encrypted:	false
SSDEEP:
MD5:	577F05CD683ED0577F6C970EA57129E0
SHA1:	AEDF54A8976F0F8FF5588447C344595E3C468925
SHA-256:	7127F20DAA0A0A74E120AB7423DD1B30C45908F8EE929F0C6CD2312B41C5BDDF
SHA-512:	2D1AEA243938A6A1289CF4EFCD541F28AB370A85EF05ED27B7B6D81CE43CEA671E06A0959994807923B1DFEC3B382EE95BD6F9489B74BBA59239601756082047
Malicious:	false
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....c.........." .....B..........`D..............................................g.....`A....................................................(............@.......D...'..........4...T.......................(....a..8.......................`....................text...5A.......B.................. ..`.rdata.......`.......F..............@..@.data........ ......................@....pdata.......@......................@..@.00cfg..(....`......................@..@.gxfg...p....p......................@..@.retplne\................................tls.................0..............@....voltbl.D............2.................._RDATA...............4..............@..@.rsrc................6..............@..@.reloc...............<..............@..B........................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	3CAEE90CA6C672DAFE79F68693C0C445
SHA1:	4F359802178154AC6CA11A421B9A3CDC6716345C
SHA-256:	39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD
SHA-512:	5B94DD828E88CBE5F24C8857AC0211F5EBF25268AEF08E93373AD02647452E25725D7EACD486E33393747CF2854FA51D1C175344F3A978173E57B3DB98C3B6AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DHT..):..):..):..Y9..):..Y?..):..Y>..):..):..):..>..):..9..):......):..);..):..>..):..?..+:..?.-):.....):..)...):..8..):.Rich.):.........PE..d....W.e.........."....'.P.....................@.............................0.......x....`..................................................6...........................Z.......M......T.......................(.......@............`...............................text....O.......P.................. ..`.rdata.......`.......T..............@..@.data...\|....P...j...@..............@....pdata..............................@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...M.......N..................@..B........................................................................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1326104
Entropy (8bit):	6.201339073050438
Encrypted:	false
SSDEEP:
MD5:	3CAEE90CA6C672DAFE79F68693C0C445
SHA1:	4F359802178154AC6CA11A421B9A3CDC6716345C
SHA-256:	39F04C3BB4A47DFB1C4E1904EC2F8949146D2EE1659876B4B8066DC8C30B6DDD
SHA-512:	5B94DD828E88CBE5F24C8857AC0211F5EBF25268AEF08E93373AD02647452E25725D7EACD486E33393747CF2854FA51D1C175344F3A978173E57B3DB98C3B6AD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......DHT..):..):..):..Y9..):..Y?..):..Y>..):..):..):..>..):..9..):......):..);..):..>..):..?..+:..?.-):.....):..)...):..8..):.Rich.):.........PE..d....W.e.........."....'.P.....................@.............................0.......x....`..................................................6...........................Z.......M......T.......................(.......@............`...............................text....O.......P.................. ..`.rdata.......`.......T..............@..@.data...\|....P...j...@..............@....pdata..............................@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...M.......N..................@..B........................................................................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	13F9E2E97A2A22721124E3567F550344
SHA1:	B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B
SHA-256:	FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4
SHA-512:	99CAD6A2C76B3C98138E327E50DC02F4FFEFA9529F4BD96184056AE1EE330DB389300777DC75DFF7EC1B181ECF94B44726E115619DF3590C97FEF6437E604F0A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................M....M..n..M....kQ...kQ.......t/)....t/7....t/,......{..XR...XR.0..kQ...XR......p....XR...Rich...........PE..d....W.e.........."....'............./.........@..............................>.......?...`.....................................................,.......xk%..........z>..Z...`>..i...&..T....................(..(...P%..@............................................text...V........................... ..`.rdata...\.......^..................@..@.data...\...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...xk%......l%.................@..@.reloc...i...`>..j....>.............@..B........................................................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4117528
Entropy (8bit):	6.386725544082248
Encrypted:	false
SSDEEP:
MD5:	13F9E2E97A2A22721124E3567F550344
SHA1:	B470F1E7FC1AF8199AEE824DDF4E4C238A92F34B
SHA-256:	FE30220ED25271075352B42B9F938E059AAD1494158BB43529617CE12973EFF4
SHA-512:	99CAD6A2C76B3C98138E327E50DC02F4FFEFA9529F4BD96184056AE1EE330DB389300777DC75DFF7EC1B181ECF94B44726E115619DF3590C97FEF6437E604F0A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................M....M..n..M....kQ...kQ.......t/)....t/7....t/,......{..XR...XR.0..kQ...XR......p....XR...Rich...........PE..d....W.e.........."....'............./.........@..............................>.......?...`.....................................................,.......xk%..........z>..Z...`>..i...&..T....................(..(...P%..@............................................text...V........................... ..`.rdata...\.......^..................@..@.data...\...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...xk%......l%.................@..@.reloc...i...`>..j....>.............@..B........................................................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	3302B5D28CB943406F12B1474A9557BA
SHA1:	1646763E8529D0B1AAE06970F159C9DC5B93507F
SHA-256:	45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E
SHA-512:	0584306DCDD78A9EC0ABA8FB24E3E38CCC2DD5642312B2C1149A82B74F900CC568DAAFF107A6FF015B447D7DF78F2D189CD2901A75B32C3F42F7C391DF4D6409
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&..&..&......&./.{..&..'...&...[..&...K.&...H..&...Z..&..&..&...^..&.Rich.&.................PE..L...R..[.....................R.......0............@..........................P............@.................................<...x....0..(................7...0...................................... ...@............................................text............................... ..`_bss....$................................rdata...7.......8..................@..@.data...............................@..._xdata....... ......................@....rsrc...(....0......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	142240
Entropy (8bit):	5.673453344725802
Encrypted:	false
SSDEEP:
MD5:	3302B5D28CB943406F12B1474A9557BA
SHA1:	1646763E8529D0B1AAE06970F159C9DC5B93507F
SHA-256:	45644E11BE37DE79C468E2695CE1EEF26107A2C1EEECCA8ED4A962830303C72E
SHA-512:	0584306DCDD78A9EC0ABA8FB24E3E38CCC2DD5642312B2C1149A82B74F900CC568DAAFF107A6FF015B447D7DF78F2D189CD2901A75B32C3F42F7C391DF4D6409
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&..&..&......&./.{..&..'...&...[..&...K.&...H..&...Z..&..&..&...^..&.Rich.&.................PE..L...R..[.....................R.......0............@..........................P............@.................................<...x....0..(................7...0...................................... ...@............................................text............................... ..`_bss....$................................rdata...7.......8..................@..@.data...............................@..._xdata....... ......................@....rsrc...(....0......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Normal, ctime=Thu Apr 25 17:01:02 2024, mtime=Thu Apr 25 17:01:02 2024, atime=Tue Mar 12 12:28:00 2024, length=4117528, window=hide
Category:	dropped
Size (bytes):	1005
Entropy (8bit):	4.596269057571052
Encrypted:	false
SSDEEP:
MD5:	2624812EC52C28CA8E2A633E0F4FE333
SHA1:	F53242D78B4C13F0A5478AFBC9874A03C2378BF8
SHA-256:	9BDC08F716584BA672410529FBD807C35B66FE636644219CF78CA8B62604D34C
SHA-512:	AEDAB18D5D4B9B299195DADAD27E29AFAECBB60F70377870D6D666532700B2C8346AD56F28D77D831705DEF79B9D3F0032E7B67F80258E318CE6623DCE3BA1D6
Malicious:	false
Reputation:	unknown
Preview:	L..................F...........:...oV.:...{,...t....>..........................P.O. .:i.....+00.../C:\.....................1......X"...PROGRA~1..t......O.I.X".....B...............J......'.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.......1......X"...HARZIN~1..l......X"..X"......Z........................H.a.r.z.i.n.g.'.s. .P.u.b.l.i.s.h. .o.r. .P.e.r.i.s.h. .8.....b.2...>.lX.k..pop8win.exe.H......X"..X"......\........................p.o.p.8.w.i.n...e.x.e.......i...............-.......h...........)..D.....C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe..F.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.r.z.i.n.g.'.s. .P.u.b.l.i.s.h. .o.r. .P.e.r.i.s.h. .8.\.p.o.p.8.w.i.n...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.H.a.r.z.i.n.g.'.s. .P.u.b.l.i.s.h. .o.r. .P.e.r.i.s.h. .8.`.......X.......210979...........hT..CrF.f4... .>.............%..hT..CrF.f4... .>.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...........

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.dat

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	87058
Entropy (8bit):	5.090017662327696
Encrypted:	false
SSDEEP:
MD5:	859901059B55462FE0D47AAD3AF6A861
SHA1:	263C5A55D7CAF787F113F54993E9637837AB6081
SHA-256:	1A77A4DC0B609B6FEF97C23F1EC71906FD67A612D7844AD423E34649FBB47CEB
SHA-512:	46D595DA447542AF73ABFABE6068D59414122F9A9DF9A3C6FC6CF76BDB9DAE9562E87B1AD3D1669B983B0C0D2937D7DDA749473A7C6AA13C16CED13977A54860
Malicious:	false
Reputation:	unknown
Preview:	tin9....S"..v...../..@.@..f....T..:.t..0...:....!x.:..............,.../.U...jczeG....c....@.\r........Q..`..B'...l.w.U,..._...s.%...A.....eQ\dS.^.sg.<.X.9....WQm...N..+'.....;.i.v.$$.x................................................................symb....>...^..3............Manufacturer....<Publisher>............................c010......e.r...............TsuInstallSize........symb.....9?...P............ShellFoldersCU)...<HKCU>\<WinCurVer>\Explorer\Shell Folders............................c002....g2b...HC#0..............regk......g..V.>........................RegWindowsHKLM-...HKEY_LOCAL_MACHINE\Software\Microsoft\Windows........fldr....W.*.........................E.!.4t.....CommonAppDataFolder....C:\ProgramData....ProgramData....fsta......M..={...xE..N............P...C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe....regk.....I.............................RegSoftwareHKLM....HKEY_LOCAL_MACHINE\Software........symb.......7.ApN............Qui

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dll (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	91101594328BE6A2804C1E00D5A7E235
SHA1:	AF1542372B115D193785E09E4C20C8E9C95D4C70
SHA-256:	E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6
SHA-512:	BD27969555EB1AE191E486E91B89331A82DF85DA2A8EA3A1529CCCF6A7045EA918DDB902D41375DC60005416BE6B9729841CF1BFA29BCCE8C3AE9D9505CA9C85
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.@.o.@.o.@.H.8.n.@.Richo.@.........PE..L...E..e...........!................................................................v.....@.............................................<............................................................................................................rsrc...<...........................@..@.reloc..............................@..B....................................P.......p...............p...........@.......A...h...B.......................@.......A.......................@.......A.......B... ...C...8...D...P...E...h...F.......G.......H.......I.......J.......K.......L.......M...(...N...@...O...X...................@...p...A.......B.......C.......D.......E.......F.......G.......H...0...I...H...J...`...K...x...................................................................!...0..."...H...#...`...$...x...%.......................

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30208
Entropy (8bit):	7.256539950295231
Encrypted:	false
SSDEEP:
MD5:	9A0747DE09BC0FDEF4D21198E61B11BE
SHA1:	39D54CFCECB911A1E03267BBC36817411C7A6E15
SHA-256:	FCA03CE1A4539ED221383FFA44491B066447986679D9F577BD60C8A3B0BDAF28
SHA-512:	C9E38E134D1F47051014F4EDDFCF19154E90C22B419C527DDD87A247AFD98C78318C1139C9CE6786F122AFE983CD160228B107BCCF46878ABB5160344ADF0BE5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..u^..u^..u^.....u^.)._..u^..._..u^..u_..u^..3..u^.."..u^..&..u^.Rich.u^.................PE..d.../..e..........".................L..........@.............................P......`.....@..................................................!..d....@.......0..<........Z........... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.pdata..<....0......................@..@.rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	7.279485169544364
Encrypted:	false
SSDEEP:
MD5:	DFD3D98A85AF042144B999FB21AE3234
SHA1:	9C575EB0F71B8C34E07E6E89E1D99D87846E3A5F
SHA-256:	74114E66E593460CE7189233E03FFA1DC77EC95E0D5BED50C291363D4CC2C1E9
SHA-512:	1DFFB056E1AD65FEBB5FEE7BAAACBDBDCE07719AE3F7F05A3054EAD02B5A17BC1BD981E107964DF7260137DEE48C5E1B57AB6ADC08C193EB12DEFA9BB9B388C5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..u^..u^..u^.....u^.)._..u^..._..u^..u_..u^..3..u^.."..u^..&..u^.Rich.u^.................PE..L......e..................................... ....@..........................P............@.................................. ..d....0...................Z...@..@...` ............................................... ..T............................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..v....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\36071EAE.dat

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	79371
Entropy (8bit):	4.925607845134666
Encrypted:	false
SSDEEP:
MD5:	7C4C52EA758E6755B20B1AC6D44FB765
SHA1:	E55A7B463C8FDEE8D8D846D506CE7EC6B9A0947E
SHA-256:	746E6678666B4B50CC4EE561206D34D849840E38E4F5CCB3FA665A9A2B500C9D
SHA-512:	4E921C5DE1846CAD7335A202B17E8529BDBC1115A541CBC8F51E4A6C4EB15B667A9332CF97DC1C15CC6C51EE687DAF79D5D84B5DA4EDAB1096C8F67FA566FEDF
Malicious:	false
Reputation:	unknown
Preview:	tin9....S"..v...../..@.@..f....T..:.t..T..:.t............3.g-......,.../.U...jczeG....c....@.\r........Q..`..B'...l.w.U,..._...s.%...A.....eQ\dS.^.sg.<.X.9....WQm...N..+'.....;.i.v.$$.x................................................................c002....B..(.r..#0..............symb....W..(..x............VirtualMemory....<$sysval(15)>............................c003....Nr.S................UIRunApp................1....0symb......b.64.*............ServicePackLevel....<$sysval(3)>............................symb.......m@.(............_LocCommonAppDataFolder&...<CommonProfileFolder>\Application Data............................symb.....XV%'/.:............ProductCode&...{D7808C1C-93A9-4369-8385-A789888ED9D7}............................fldr.....^...QB.....................l....vh.....CommonAdminToolsFolder........Administrative Tools....a125..........>.........).......RegisterFiles....................a110....o...:!.................CheckInstallOptions....................symb....(.a.

C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1753
Entropy (8bit):	5.143237629684
Encrypted:	false
SSDEEP:
MD5:	290CD5295D502AF868BB235664645C30
SHA1:	0903EA61C093D49B6AFC61642B3D7BC4EEF3800D
SHA-256:	F6DE9A672943D3E68610198D60EF0404CD1660EF42E01D6E9650D711E09D5BD1
SHA-512:	284D9F0F3C077F8BF2EEA6BDF3BFF1982723FCD28099F3C5A9CB1C4A19BD321B6140DA800F729651AE078B16CFF0B7FCB1A9CFEFF23FEF9400A0E9E4326DF5D5
Malicious:	false
Reputation:	unknown
Preview:	.README.TXT..----------------------------------------------------------------------....The files in this folder are part of the following product:....- Name: Harzing's Publish or Perish..- Version: 8.12.4612.8838..- Publisher: Tarma Software Research Ltd..- Web site: https://harzing.com..- Email: support@harzing.com..- Phone: YOUR PHONE NUMBER HERE....(c) 1990-2024 Tarma Software Research Ltd....The files in this folder are required for a clean update or removal..of the above product. Please do not delete them.....If you wish to remove the product:.... Harzing's Publish or Perish 8.12.4612.8838....from your computer, then use the standard Add/Remove Programs control..panel that you will find via the Start button of your Windows system.....======================================================================..DISCLAIMER..======================================================================....The product:.... Harzing's Publish or Perish 8.12.4612.8838....was published by:.... Tar

C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58944
Entropy (8bit):	5.84108445959513
Encrypted:	false
SSDEEP:
MD5:	F4B5E1B2AC2086D77715EBA140B4D3C1
SHA1:	DAB4617227A1242372B71F7B278103A3B0859434
SHA-256:	DFDEF70967C48DC7B8692D9C2075F8A06CE482B56E6DD901278B10F4F4B6A738
SHA-512:	FE04ABAD45A7C9EF86A2FD794BDB6077588BA632422D0507CC4D5764CC5468FF1C1BBD6001FED9E1F30BBEBBC8B26530D46E99FA11F243430D44A2011BD847BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.O.+`!.+`!.+`!... .(`!.+` ."`!...L.`!...].`!.+`!.`!...Y.`!.Rich+`!.........................PE..L...E..e..................................... ....@.................................6.....@.................................h ..(....0..................@Z...... ...0 ............................................... ..(............................text............................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\36071EAE\Setup.ico

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	MS Windows icon resource - 8 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	23558
Entropy (8bit):	3.4538759440211932
Encrypted:	false
SSDEEP:
MD5:	B90F4266176630002A965362083F5DAA
SHA1:	25C4E260A1F7D9FAD00354C97DC414805BC16906
SHA-256:	79DA7C4A1DBD6C0D09C30A2025AEC71BC652241F6BA06D7A90F5B47F963B991A
SHA-512:	2A2597684FFA78A5FDE4884A8DB1DD2915EAC734B6CF6A627E99EAF43429B41A636210A5BEBF13B5F4E10A8DD9839C28927A160498F346D0B19C09AD95D99834
Malicious:	false
Reputation:	unknown
Preview:	...... ......................(...n...00.............. ..........>...........h.......00.... ..%..N!.. .... ......F........ .h....W..(... ...@..................................................................................................................\|...wp..........d...l................G..........t...\|l..........................p..Lp...........h...`........................\|lF.DLdH...............L..........\|Fp.\|............p...p...........`...`..........d...l...........L....G...........D..\|L.........................Lp...p...........`...`..........F...l................G..........t...\|L.........................Lp...p...........`...`..........d...l................G..........vL..v.............p.............x...x........................\|...<?..<?..<?...........................................................................x...x...x...<?..<?..<?......??....(....... .........................................................................................................p.p.....

C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	253952
Entropy (8bit):	4.284946210439144
Encrypted:	false
SSDEEP:
MD5:	91101594328BE6A2804C1E00D5A7E235
SHA1:	AF1542372B115D193785E09E4C20C8E9C95D4C70
SHA-256:	E0283E063C9BFB800DEC7EAE29B0FEB0D3D5EE89D7F7027076450E1522463FD6
SHA-512:	BD27969555EB1AE191E486E91B89331A82DF85DA2A8EA3A1529CCCF6A7045EA918DDB902D41375DC60005416BE6B9729841CF1BFA29BCCE8C3AE9D9505CA9C85
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o.@.o.@.o.@.H.8.n.@.Richo.@.........PE..L...E..e...........!................................................................v.....@.............................................<............................................................................................................rsrc...<...........................@..@.reloc..............................@..B....................................P.......p...............p...........@.......A...h...B.......................@.......A.......................@.......A.......B... ...C...8...D...P...E...h...F.......G.......H.......I.......J.......K.......L.......M...(...N...@...O...X...................@...p...A.......B.......C.......D.......E.......F.......G.......H...0...I...H...J...`...K...x...................................................................!...0..."...H...#...`...$...x...%.......................

C:\Users\user\AppData\Local\Temp\PoP8Setup-20240425T200106-Install.log (copy)

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	4E3E90DC698025E90D31FC714AFD0326
SHA1:	BA61BECA0058E7D380CB1D9C160D3BAC02436BE5
SHA-256:	0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE
SHA-512:	E28CAAD1D9E2C5E115794378E1A991D7A3DF3740146A6955E4A7DF1A8187DCE74814F6FCFB3DF156E45CEA7D5AC565E7028564B0F144106A1E80499220127A32
Malicious:	false
Reputation:	unknown
Preview:	.2024-04-25 20:00:30.684 ===== Logging C:\Users\user\Desktop\PoP8Setup.exe =====.00072044\|TSU:I0069\|0000-01DA973A76245B98\|InstallMate setup library\|9.118.7305.8787 (2024.01.21.1201Ux86 Lib Rel)\|WinNT (x86) Unicode Lib Rel\|140050727.0007205D\|TSU:I0094\|0000-01DA973A76245B98\|"C:\Users\user\Desktop\PoP8Setup.exe" /d:"C:\Users\user\Desktop\PoP8Setup.exe".00070017\|TSU:D0024\|2000-01DA973A76245B98\|{F52FCFA9-4085-40C8-DBE6-8066C1FB84A8}\|0.00072004\|TSU:I0005\|2000-01DA973A76245B98\|C:\Windows\system32\kernel32.dll\|10.0.19041.1889\|10.0.19041.1889.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|75710000\|IsWow64Process2\|75C06CD0.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|75710000\|GetProductInfo\|75732070.00070009\|TSU:D0010\|2000-01DA973A76245B98\|C:\Windows\system32\sfc.dll\|006F0000.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|775E0000\|RegDeleteKeyExW\|77602480.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|76190000\|SHGetKnownFolderPath\|762F9E40.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|006F0000\|SfcIsFileProtected\|6EAF405

C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	modified
Size (bytes):	156280
Entropy (8bit):	5.3492678812077115
Encrypted:	false
SSDEEP:
MD5:	4E3E90DC698025E90D31FC714AFD0326
SHA1:	BA61BECA0058E7D380CB1D9C160D3BAC02436BE5
SHA-256:	0C9FA9595A70D0BF7BEDD1396B37483857B0C3127494B1F7B6FEE6350CD2A1AE
SHA-512:	E28CAAD1D9E2C5E115794378E1A991D7A3DF3740146A6955E4A7DF1A8187DCE74814F6FCFB3DF156E45CEA7D5AC565E7028564B0F144106A1E80499220127A32
Malicious:	false
Reputation:	unknown
Preview:	.2024-04-25 20:00:30.684 ===== Logging C:\Users\user\Desktop\PoP8Setup.exe =====.00072044\|TSU:I0069\|0000-01DA973A76245B98\|InstallMate setup library\|9.118.7305.8787 (2024.01.21.1201Ux86 Lib Rel)\|WinNT (x86) Unicode Lib Rel\|140050727.0007205D\|TSU:I0094\|0000-01DA973A76245B98\|"C:\Users\user\Desktop\PoP8Setup.exe" /d:"C:\Users\user\Desktop\PoP8Setup.exe".00070017\|TSU:D0024\|2000-01DA973A76245B98\|{F52FCFA9-4085-40C8-DBE6-8066C1FB84A8}\|0.00072004\|TSU:I0005\|2000-01DA973A76245B98\|C:\Windows\system32\kernel32.dll\|10.0.19041.1889\|10.0.19041.1889.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|75710000\|IsWow64Process2\|75C06CD0.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|75710000\|GetProductInfo\|75732070.00070009\|TSU:D0010\|2000-01DA973A76245B98\|C:\Windows\system32\sfc.dll\|006F0000.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|775E0000\|RegDeleteKeyExW\|77602480.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|76190000\|SHGetKnownFolderPath\|762F9E40.0007000B\|TSU:D0012\|2000-01DA973A76245B98\|006F0000\|SfcIsFileProtected\|6EAF405

C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll

Download File

Process:	C:\Users\user\Desktop\PoP8Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545272
Entropy (8bit):	6.026003927739149
Encrypted:	false
SSDEEP:
MD5:	CADDA490CB6BD2E13C4B6A2806660DA9
SHA1:	1135278A087E556C1F403437312BC9EFC16577C0
SHA-256:	7EFC29CA14038A7A3D2B8DA54FE3D7AD10C258E7CCCAB6F481EDDE082D6ECEBD
SHA-512:	641BF84495AAA8D3C25B6766E4061128225319D0AA265068A0AEB12F43B6A28EE9A29AE1A46C1FAC12413A88F4186B71BB98ED606DA311747875B523FBDA43E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 4%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t..............#.......#........e.......mk......~.......................,................................Rich............................PE..L......e...........!.........<......Q&.......................................`......U.....@..........................h.......L..........xy...............Y... ...$.. ................................<..@............................................text...e........................... ..`_bss....$................................rdata..`y.......z..................@..@.data...8....p.......B..............@..._xdata...............J..............@....rsrc...xy.......z...L..............@..@.reloc...0... ...2..................@..B........................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992330851937082
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PoP8Setup.exe
File size:	2'775'616 bytes
MD5:	31bbc34f3ce51ab1c28a63202db9860d
SHA1:	1ed7495f56baab6a0c7e829be2598f3b10ceadf5
SHA256:	2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb
SHA512:	1fd2c41b56490ebfdc148344e1370b7e3f3eb50ad2b14d98f02373124b4ba9e3374bcab3545a2b0c0c4ca926d818fd3d1661b9d91a832aca198882623c34878e
SSDEEP:	49152://Guw1I73YzKvLuZxukx+3ylqWP1ZrCNaz+ZNwt1hlvRWcTV+qQqZnzbh6:/OuwOrYzKSZUSkWP1ZrCfZujXJdTc4nE
TLSH:	89D533ECD89BCE94C8851C7AE0C7913F1FAE391DDAD52D72C4C52E1E0AB166A484436E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.o.9...9...9...0...;.......:...9........#l.:....#}.8...9...8....#y.8...Rich9...................PE..L...A..e................. .

File Icon


Icon Hash:	4d6d26369389094d

Static PE Info

General

Entrypoint:	0x4015ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65AD0841 [Sun Jan 21 12:04:17 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	20c4b14b5064e66d073d37066475b11c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/01/2024 01:00:00 11/01/2027 00:59:59
Subject Chain	CN=Tarma Software Research Ltd, O=Tarma Software Research Ltd, S=Hertfordshire, C=GB, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB, SERIALNUMBER=09173284
Version:	3
Thumbprint MD5:	0732A8FB8E2752423978408788DD0652
Thumbprint SHA-1:	CB3D15998E0DADA45B7FDE7537CDF3EB0583EC44
Thumbprint SHA-256:	CEC82DC72D171809FEAEDDD8C4385B008CBE15982AB9468E5C3C730B1ADC8DBE
Serial:	1C6124EDF233584A3C9425DAFC4B02E5

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000740h
push ebx
push esi
xor ebx, ebx
push edi
mov word ptr [ebp-00000538h], bx
mov dword ptr [ebp-0Ch], ebx
mov dword ptr [ebp-04h], ebx
call dword ptr [00403070h]
mov esi, eax
lea eax, dword ptr [ebp-00000128h]
push eax
mov dword ptr [ebp-00000128h], 00000114h
call dword ptr [0040306Ch]
cmp dword ptr [ebp-00000118h], 02h
jne 00007F36B04FD332h
cmp dword ptr [ebp-00000124h], 06h
jnbe 00007F36B04FD31Dh
jne 00007F36B04FD327h
cmp dword ptr [ebp-00000120h], 02h
jc 00007F36B04FD31Eh
mov dword ptr [0040440Ch], 00001100h
jmp 00007F36B04FD31Ch
mov dword ptr [0040440Ch], 00000008h
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00403068h]
call dword ptr [00403064h]
mov edi, eax
not edi
xor edi, esi
call dword ptr [00403060h]
xor edi, eax
mov eax, dword ptr [ebp-10h]
xor eax, dword ptr [ebp-14h]
push 00000104h
xor edi, eax
lea eax, dword ptr [ebp-00000740h]
push eax
push ebx
call dword ptr [0040305Ch]
test eax, eax
jne 00007F36B04FD353h
call dword ptr [00403008h]
cmp eax, 78h
jne 00007F36B04FD32Ch
push 004032FCh
call 00007F36B04FCD20h
pop ecx
mov dword ptr [00404408h], 000000FDh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3334	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x8108	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2a0000	0x5a40
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30b0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xa8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f24	0x2000	238be0c23ac787227d3ec82cd803d77b	False	0.611083984375	data	6.407650508595175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x70f	0x800	774123c0e0989df6de4758c1c8736fcd	False	0.48388671875	data	4.7219381205576685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x410	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0x8108	0x8200	554c55809a36daef0867517dfd01a840	False	0.28272235576923077	data	4.037171789061473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0x174	0x200	0e109f2ae39d20fdea549b1a04660bf8	False	0.453125	data	3.339167376222123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tsustub	0xf000	0x25ea3	0x26000	ac7d653cf9eb9f6121bac96b1812d76b	False	0.9983809621710527	data	7.997541211940017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tsuarch	0x35000	0x26f000	0x26f000	1c089f3e3df955108e570608f95c37f1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5310	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.4637096774193548
RT_ICON	0x55f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.5777027027027027
RT_ICON	0x5720	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	0.26545842217484006
RT_ICON	0x65c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.3575268817204301
RT_ICON	0x68b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.4831081081081081
RT_ICON	0x69d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	0.3699360341151386
RT_ICON	0x7880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	0.46796028880866425
RT_ICON	0x8128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	0.5874277456647399
RT_ICON	0x8690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.19865145228215766
RT_ICON	0xac38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.2539868667917448
RT_ICON	0xbce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.42819148936170215
RT_GROUP_ICON	0xc148	0x76	data	0.6864406779661016
RT_VERSION	0xc1c0	0x920	data	0.2902397260273973
RT_MANIFEST	0xcae0	0x625	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.45581691036236494

Imports

DLL

Import

KERNEL32.dll

OutputDebugStringA, FreeLibrary, GetLastError, lstrcpynW, GetProcAddress, LoadLibraryExW, GetSystemDirectoryW, UnmapViewOfFile, MultiByteToWideChar, MapViewOfFile, CloseHandle, CreateFileMappingW, GetFileSize, CreateFileW, lstrlenW, GetCommandLineW, ExitProcess, Sleep, DeleteFileW, SetFileAttributesW, GetFileAttributesW, GetTempPathW, GetModuleHandleW, GetModuleFileNameW, GetTickCount, GetCurrentThreadId, GetSystemTimeAsFileTime, GetVersionExW, GetCurrentProcessId, HeapAlloc, GetProcessHeap, HeapFree, ReadFile, WriteFile, SetFileTime, SetFilePointer

USER32.dll

wvsprintfA, wsprintfW, PostMessageW, MessageBoxA

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PoP8Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._rb (copy)

C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm

C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)

C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm

C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)

C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm

C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)

C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.dat

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dll (copy)

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe

C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe

C:\Users\user\AppData\Local\Temp\36071EAE.dat

C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt

C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe

C:\Users\user\AppData\Local\Temp\36071EAE\Setup.ico

C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll

C:\Users\user\AppData\Local\Temp\PoP8Setup-20240425T200106-Install.log (copy)

C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log

C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
PoP8Setup.exe