Windows Analysis Report
papercut-hive.exe

Overview

General Information

Sample name:	papercut-hive.exe
Analysis ID:	1542234
MD5:	7253bd3220cd819a8c822ebcfbd03ded
SHA1:	6fd8e9384b4a7f1239505c7dcd034be810979ab7
SHA256:	dc9a1d2826175fd74c92ad9f842eddc80c9ff593770dbbf7ed4f2d9690f2e70c
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Sigma detected: rundll32 run dll from internet

Uses netstat to query active network connections and open ports

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Uses 32bit PE files

Source: papercut-hive.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-25 #001.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	File created: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\queue_install.log			Jump to behavior

Source: papercut-hive.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.119.110.121:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.210.172:443 -> 192.168.2.5:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.214.120:443 -> 192.168.2.5:56558 version: TLS 1.2

Source: papercut-hive.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: vcredist_x64.exe.2.dr
Source:	Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: vcredist_x64.exe.2.dr

Networking

Uses netstat to query active network connections and open ports

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\NETSTAT.EXE "netstat" -anb

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.119.110.121 104.119.110.121
Source: Joe Sandbox View	IP Address: 199.232.210.172 199.232.210.172

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vs/17/release/vc_redist.x64.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: aka.msConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download/pr/368cc6bf-087b-49f9-93e6-ab05b70a58e0/814E9DA5EC5E5D6A8FA701999D1FC3BADDF7F3ADC528E202590E9B1CB73E4A11/VC_redist.x64.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Connection: Keep-AliveCache-Control: no-cacheHost: download.visualstudio.microsoft.com
Source: global traffic	HTTP traffic detected: GET /files/open-source/ghost-trap/ghost-trap-installer-1.5.10.03.exe HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: cdn1.papercut.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: aka.ms
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 197.87.175.4.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: cdn1.papercut.com
Source: global traffic	DNS traffic detected: DNS query: pmitc.papercut.com

Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://127.0.0.1:9263image:
Source: vcredist_x64.exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://bourbon.io
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: pc-print-client.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: pc-print-client.exe, 00000012.00000002.2631688601.000000C000020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhostus-genesisstaginggngkernel32.dllC:
Source: pc-print-client.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0W
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://www.bohemiancoding.com/sketch
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: papercut-hive.exe, 00000000.00000003.2707442358.0000000001836000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.00000000030B6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.papercut.com/
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.papercut.com/0http://www.papercut.com/0http://www.papercut.com/
Source: papercut-hive.tmp, 00000002.00000003.2702866559.00000000030B6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.papercut.com/Yk
Source: pc-print-client.exe, 00000012.00000002.2631688601.000000C000022000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://.papercusoftwarehttp://lus-genestesttstau-stagitemplate
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://127.0.0.1:9266idna:
Source: papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/
Source: papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/YoS(&
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2704291741.00000000015A7000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.0000000004230000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe
Source: papercut-hive.tmp, 00000002.00000002.2705901345.0000000001595000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe4
Source: papercut-hive.tmp, 00000002.00000003.2698392651.0000000004015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exe==
Source: papercut-hive.tmp, 00000002.00000002.2705901345.0000000001595000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exeH
Source: papercut-hive.tmp, 00000002.00000003.2698392651.0000000004015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/17/release/vc_redist.x64.exet))
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://au-staging.pmitc.papercut.softwareinsufficient
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://au.pmitc.papercut.comhttps://eu.pmitc.papercut.comhttps://uk.pmitc.papercut.cominteger
Source: papercut-hive.tmp, 00000002.00000002.2706959213.0000000006650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.papercut.com/
Source: papercut-hive.tmp, 00000002.00000003.2704291741.00000000015C8000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.0000000004230000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2698392651.0000000004015000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn1.papercut.com/files/open-source/ghost-trap/ghost-trap-installer-1.5.10.03.exe
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.googleapis.com
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Barlow:ital
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/barlow/v12/7cHpv4kjgoGqM7E_DMs8.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/barlow/v12/7cHqv4kjgoGqM7E30-8s51op.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/barlow/v12/7cHqv4kjgoGqM7E3j-ws51op.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/merriweather/v30/u-440qyriQwlOrhSvowK_l5-fCZJ.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/merriweather/v30/u-4n0qyriQwlOrhSvowK_l52xwNZWMf_.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcecodepro/v22/HI_diYsKILxRpg3hIP6sJ7fM7PqPMcMnZFqUwX28DMyQtMlrSQ.ttf
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcesanspro/v21/6xK1dSBYKcSV-LCoeQqfX1RYOo3qPZ7nsDc.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcesanspro/v21/6xK3dSBYKcSV-LCoeQqfX1RYOo3qOK7g.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcesanspro/v21/6xKwdSBYKcSV-LCoeQqfX1RYOo3qPZY4lCds18E.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcesanspro/v21/6xKydSBYKcSV-LCoeQqfX1RYOo3i54rwlxdr.ttf)
Source: papercut-hive.tmp, 00000002.00000003.2698494496.00000000044B5000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/sourcesanspro/v21/6xKydSBYKcSV-LCoeQqfX1RYOo3i94_wlxdr.ttf)
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.000000000428D000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000002FEA000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PaperCutSoftware/GhostTrap
Source: papercut-hive.tmp, 00000002.00000003.2702866559.0000000002FEA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/PaperCutSoftware/GhostTrapn;
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.000000000423A000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://installer-downloader-dot-pc-pmitc.appspot.com/public/installer-downloader/upload-installer-l
Source: papercut-hive.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: pc-print-client.exe, 00000012.00000002.2631688601.000000C0000FF000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2631688601.000000C0000CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://multiverse.papercut.com
Source: pc-print-client.exe, 00000012.00000002.2631688601.000000C0000FF000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2631688601.000000C0000CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://multiverse.papercut.software
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://pc-pmitc.appspot.com//print-client/secure/printclient-gateway/org/%s/upload-support-logs/v1c
Source: pc-print-client.exe, 00000012.00000002.2631688601.000000C000022000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pmitc.papercut.com/
Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp, pc-print-client.exe, 00000012.00000002.2630254047.0000000000F85000.00000002.00000001.01000000.0000000A.sdmp, pc-print-client.exe.2.dr	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictin
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F0DB000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000000.2094710725.0000000000B01000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.000000000429C000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.papercut.com/kb/PaperCutPocketHive/PrinterInstallerIssue#portconflict
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003064000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.papercut.com/kb/PaperCutPocketHive/PrinterInstallerIssue#services
Source: papercut-hive.exe, 00000000.00000003.2091285016.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2707442358.00000000017E3000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003007000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702866559.0000000003064000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2096649458.0000000003F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.papercut.com/kb/PaperCutPocketHive/PrinterInstallerIssue#win
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F0DB000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.exe, 00000000.00000003.2092843159.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000000.2094710725.0000000000B01000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56617
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 56558
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56617 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown	HTTPS traffic detected: 104.119.110.121:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.232.210.172:443 -> 192.168.2.5:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.214.120:443 -> 192.168.2.5:56558 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: papercut-hive.tmp, 00000002.00000003.2698494496.0000000004310000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: Server 2008 R2 Server 2012 R2 is unavailable not a function()<>@,;:\"/[]?=(Get-Resources),M3.2.0,M11.1.0/manual-link/v10601021504Z0700400 Bad Request476837158203125: cannot parse : no frame (sp=<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAcknowledge-JobAddDllDirectoryCLSIDFromStringCallWindowProcWCancel-DocumentCardinality(%d)ClientAuthType(ContainingOneofCreateHardLinkWCreatePopupMenuCreateWindowExWDelete-DocumentDeviceIoControlDiacriticalDot;DialogBoxParamWDisable-PrinterDoubleRightTee;DownLeftVector;DragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectExtensionRangesFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileGateway TimeoutGdiplusShutdownGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleGreaterGreater;HalfClosedLocalHanifi_RohingyaHorizontalLine;Idempotency-KeyImpersonateSelfInsertMenuItemWInvisibleComma;InvisibleTimes;IsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2LeftDownVector;LeftRightArrow;Leftrightarrow;Length RequiredLessSlantEqual;LongRightArrow;Longrightarrow;LowerLeftArrow;MoveToEx failedNTSTATUS 0x%08xNestedLessLess;Not ImplementedNotGreaterLess;NotLessGreater;NotSubsetEqual;NotTrueTypeFontNotVerticalBar;OleUninitializeOpEnablePrinterOpFetchDocumentOpResumePrinterOpenCurlyQuote;OpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512PaperCut PocketPartial ContentPlayEnhMetaFilePolyline failedPostQuitMessageProcess32FirstWProfileNotFoundPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRegisterClassExRequest TimeoutRequiredNumbersRestart-PrinterReverseElement;RightTeeVector;RightVectorBar;RtlDefaultNpAclSetActiveWindowSetCommTimeoutsSetSecurityInfoSetVolumeLabelWSetWinEventHookShortDownArrow;ShortLeftArrow;SquareSuperset;Startup-PrinterStatusErrorBusyStatusErrorGoneStringFromGUID2TildeFullEqual;TrackMouseEventTrigger backoffUnknown name=%qUnmapViewOfFileUpperLeftArrow;WTSConnectQueryWTSDisconnectedWindowFromPointX-Forwarded-ForX-Frame-OptionsZeroWidthSpace;]

memstr_f5122bf8-8

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	File created: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcglobal.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcglobal.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\SETF9EB.tmp	Jump to dropped file

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}

Source: papercut-hive.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: papercut-hive.exe	Static PE information: Number of sections : 11 > 10
Source: ghost-trap-installer-1.5.10.03.exe.2.dr	Static PE information: Number of sections : 11 > 10

Source: papercut-hive.exe, 00000000.00000000.2090959358.0000000000589000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs papercut-hive.exe
Source: papercut-hive.exe, 00000000.00000003.2093280982.000000007F3DA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs papercut-hive.exe
Source: papercut-hive.exe, 00000000.00000003.2092843159.00000000035EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs papercut-hive.exe
Source: papercut-hive.exe	Binary or memory string: OriginalFileName vs papercut-hive.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03

Source: C:\Users\user\Desktop\papercut-hive.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\papercut-hive.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "pc-print-client-service.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "pc-print-client.exe")

Source: unknown	Process created: C:\Users\user\Desktop\papercut-hive.exe "C:\Users\user\Desktop\papercut-hive.exe"
Source: C:\Users\user\Desktop\papercut-hive.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp "C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp" /SL5="$1047A,31229352,845824,C:\Users\user\Desktop\papercut-hive.exe"
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""netstat" -anb > "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\~execwithresult.txt""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\NETSTAT.EXE "netstat" -anb
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * /value > "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\antivirus-info.log" 2>&1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * /value
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill.exe" /f /im "pc-print-client-service.exe"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill.exe" /f /im "pc-print-client.exe"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\net.exe "net.exe" start spooler
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start spooler
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe" -installPrintQueue -printerId="PaperCut Printer" -printerName="PaperCut Printer" "-driverFilePath=C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\PCGlobal.inf" -logFile="C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\queue_install.log"
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /ia /m "PaperCut Global PostScript - NTNS" /f C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\PCGlobal.inf /u
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\pcglobal.inf" "9" "48fde5adf" "000000000000015C" "WinSta0\Default" "0000000000000144" "208" "c:\users\user\appdata\local\temp\is-b2r1d.tmp\client\pc-global-print-driver"
Source: unknown	Process created: C:\Windows\System32\PrintIsolationHost.exe C:\Windows\system32\PrintIsolationHost.exe -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /y /if /b "PaperCut Printer" /x /n "PaperCut Printer" /m "PaperCut Global PostScript - NTNS" /r http://localhost:9265/printers/papercutpocket /u /q
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /q /y /n "PaperCut Printer"
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /q /Sr /n "PaperCut Printer" /a C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\printer-settings.bin p h i r g u d c 2
Source: C:\Users\user\Desktop\papercut-hive.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp "C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp" /SL5="$1047A,31229352,845824,C:\Users\user\Desktop\papercut-hive.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""netstat" -anb > "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\~execwithresult.txt""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * /value > "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\antivirus-info.log" 2>&1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill.exe" /f /im "pc-print-client-service.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\taskkill.exe "taskkill.exe" /f /im "pc-print-client.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Windows\System32\net.exe "net.exe" start spooler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe "C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe" -installPrintQueue -printerId="PaperCut Printer" -printerName="PaperCut Printer" "-driverFilePath=C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\PCGlobal.inf" -logFile="C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\queue_install.log"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\NETSTAT.EXE "netstat" -anb	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get * /value	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 start spooler	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /ia /m "PaperCut Global PostScript - NTNS" /f C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\PCGlobal.inf /u	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /y /if /b "PaperCut Printer" /x /n "PaperCut Printer" /m "PaperCut Global PostScript - NTNS" /r http://localhost:9265/printers/papercutpocket /u /q	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /q /y /n "PaperCut Printer"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe printui.dll,PrintUIEntry /q /Sr /n "PaperCut Printer" /a C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\printer-settings.bin p h i r g u d c 2	Jump to behavior

Source: C:\Users\user\Desktop\papercut-hive.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\papercut-hive.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\System32\NETSTAT.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\NETSTAT.EXE	Section loaded: snmpapi.dll	Jump to behavior
Source: C:\Windows\System32\NETSTAT.EXE	Section loaded: inetmib1.dll	Jump to behavior
Source: C:\Windows\System32\NETSTAT.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: printisolationproxy.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: spoolss.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Section loaded: coloradapterclient.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Automated click: OK

Source: papercut-hive.exe	Static PE information: section name: .didata
Source: papercut-hive.tmp.0.dr	Static PE information: section name: .didata
Source: vcredist_x64.exe.2.dr	Static PE information: section name: .wixburn
Source: ghost-trap-installer-1.5.10.03.exe.2.dr	Static PE information: section name: .didata
Source: pc-print-client.exe.2.dr	Static PE information: section name: .symtab

Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_01580459 push es; iretd	2_3_01580474
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_0157C451 push es; iretd	2_3_0157C46C
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_01580455 push es; ret	2_3_01580458
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_0157C44D push es; ret	2_3_0157C450
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_01580505 push es; ret	2_3_01580508
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Code function: 2_3_0157C4FD push es; ret	2_3_0157C500

Source: C:\Users\user\Desktop\papercut-hive.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\PrintIsolationHost.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\ghost-trap-installer-1.5.10.03.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\idp.dll	Jump to dropped file

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: papercut-hive.tmp, 00000002.00000003.2704291741.00000000015D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: NETSTAT.EXE, 00000005.00000002.2099596498.000002242FBD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: papercut-hive.tmp, papercut-hive.tmp, 00000002.00000003.2704291741.00000000015D0000.00000004.00000020.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2704291741.0000000001590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: pc-print-client.exe, 00000012.00000002.2644780329.0000016A8896C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcglobal.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcglobal.cat VolumeInformation	Jump to behavior

Source: papercut-hive.tmp, 00000002.00000003.2702866559.0000000002FB0000.00000004.00001000.00020000.00000000.sdmp, papercut-hive.tmp, 00000002.00000003.2702370361.0000000004229000.00000004.00001000.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2110858859.000001E21B9A1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2111694641.000001E21B803000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2111760335.000001E21B806000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2110642425.000001E21B7F9000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000002.2112382243.000001E21BA9B000.00000004.00000020.00020000.00000000.sdmp, antivirus-info.log.6.dr	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000008.00000002.2112382243.000001E21BA9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000008.00000002.2112238830.000001E21B7D8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000002.2112099275.000001E21B7B7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2110743546.000001E21B7D7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2110801990.000001E21B7E5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2111398787.000001E21B97C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2111773868.000001E21B7B7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000003.2110642425.000001E21B7B2000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000008.00000002.2112263295.000001E21B7E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

IP	Domain	Country	ASN	ASN Name	Malicious
52.222.214.120	d1d4ywpuwg1f9b.cloudfront.net	United States	16509	AMAZON-02US	false
34.111.87.71	pmitc.papercut.com	United States	15169	GOOGLEUS	false
104.119.110.121	aka.ms	United States	16625	AKAMAI-ASUS	false
199.232.210.172	fg.microsoft.map.fastly.net	United States	54113	FASTLYUS	false

Name	IP	Active
fg.microsoft.map.fastly.net	199.232.210.172	true
d1d4ywpuwg1f9b.cloudfront.net	52.222.214.120	true
aka.ms	104.119.110.121	true
pmitc.papercut.com	34.111.87.71	true
cdn1.papercut.com	unknown	unknown
198.187.3.20.in-addr.arpa	unknown	unknown
197.87.175.4.in-addr.arpa	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
https://aka.ms/vs/17/release/vc_redist.x64.exe	false		unknown
https://cdn1.papercut.com/files/open-source/ghost-trap/ghost-trap-installer-1.5.10.03.exe	false		unknown

Windows Analysis Report papercut-hive.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
papercut-hive.exe

ID:	1542234
Product:	CloudBasic
Start time:	17:23:07
Start date:	25.10.2024
Sample:	papercut-hive.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7253bd3220cd819a8c822ebcfbd03ded
SHA1:	6fd8e9384b4a7f1239505c7dcd034be810979ab7
SHA256:	dc9a1d2826175fd74c92ad9f842eddc80c9ff593770dbbf7ed4f2d9690f2e70c
Filetype:	Win32 Executable (generic) a (10002005/4) 98.04%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Prs295.tmp	data	EEBA05CBB1FE3356985E1B64D0DA28D1	F271A1D2395C75527619562FF78A017AC8D8906F	C8AB8F667F14F99E8E58C550D96DE351B955C844987BF977736F7978616772C4
C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-25 #001.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (375), with CRLF, LF line terminators	FC298426EE9A38D312524FE48520382E	3C3E8D4D39CB5B7B24DDB34A8207F27B3B9A020B	B075CAC244508F4431D4378CF8BA0AA3230D499FA5DB0CA1A41F9EFB308FCACF
C:\Users\user\AppData\Local\Temp\is-7B4BH.tmp\papercut-hive.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	6F986EF33F81F6A1000EEAF12445651D	36C67D7A61804EF02B605507882F53826E427B17	5D85D8D2DA0D7378F45D63FE5832C54ACF9FD366C3CF0B750E68DF22723D2342
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\antivirus-info.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	BADD11B8E3771A5E945A1A5A826BFDBC	3BD34720D25876F9FEF0E6059FBBC2C6D0CB9A7D	81B59FBD914C2F8DE4A3D3F55FF6FC53737FDF89B706528C16A17559DBFBD3C9
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\.gitattributes	ASCII text	690B8F29CE97990CFC1378324E8AF628	D968F3610FD87CFACA70FDAC1DE740DADE1A6C71	9720533DE8799EDC830DA08447AE5864E14E2A2DA2EBD109AF438521E4531B5F
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcglobal.cat	data	C1FA5D6107C00977E330349FFB07F380	C967B395AB4E4B26708F9A042DC255721D98D630	022980B4726628E2A304E74007D6ADE1C978493307B334497D91F9EEDD9417DB
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcglobal.inf	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcglobal.ppd	PPD file, version "4.3"	4559236DAE31768C392B1793727C5941	E9703C30CE7CCE5FD0496C4C1BBC7A8CBBE123E6	EA22FE16B562BDDFDA46E3DD4B3AC830CE5F064929BCFF6B67DCDFC3E9D36821
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\PC-Global-Print-Driver\pcntns.ppd	PPD file, version "4.3"	8E4D52887A32ADB2DD7B7BE154386C9B	77FBE0E8C536C8674C024FE72B39625F5E7A443C	4C2196498AA1E5371A583FE716E99D4ECBD26140618F22882CF21022A93D2E53
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\pc-print-client.exe	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	F65100B9805BF914F9F77AA08566AFAB	3617F0260F64A901213587CD35F79E095F7A5633	4F4DDB33A225A71AD699156E0271ADF07B84F55B3051D19B5C68EC0EA442DA4C
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\printer-settings-us-ca.bin	data	A7C2E59EA7DA76458F57A3CEC94AD4F2	215548803E78634B458CBFB700248782F08B9566	2D2F724EE164B172F3BE01FDA288D17515B42C9D436E0531B435186EC6E4D416
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\client\printer-settings.bin	data	0188820F8D1F9E537C49B2DF1697A5E5	1C13235A80AEE6775C8F8BCF0A41B398E24859BF	5579D7D552B1596752CAAE4F3DEE8E26C29C1868D119D8B261B13BE0CBA2B03C
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\data\config\cloud-region.conf	ASCII text, with no line terminators	F8B5DCBCDDDC5AA373D11105AB5BA5AE	5D1DD0A46025DA03673978F42A75D4707604683D	EE44E6637CFB87DCC766A9390C2B8E0BD63C512DAF25DA1058272E0D94A85E8B
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\ghost-trap-installer-1.5.10.03.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6BEC66D2079FA4402527770AC2037085	FCF8B6678E404563B29E960BF83D14576B06D249	54832CDA1A9B6FACFCED034B6E85FCF3B68F6A616867996283029C802AC96AE7
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\idp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	55C310C0319260D798757557AB3BF636	0892EB7ED31D8BB20A56C6835990749011A2D8DE	54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\post.bmp	PC bitmap, Windows 3.x format, 420 x 250 x 16, image size 210002, resolution 2834 x 2834 px/m, cbSize 210056, bits offset 54	B75F1EF5AE5394974A2974844EFD7A02	00F370C99AB1E71CE69F588818EEF3D4C5DDA911	5F886B8FF04B75CB7DEAEFBF31F8F02C8A0D84DE15F2181E370B9D3461E26829
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\queue_install.log	ASCII text	A468CB349CCF75ACF0DCFA5C9627CFC0	7EA284E2EBD86BEF6946E8A2F0CE5B2F31509937	012422FD0C9237C62ECE4D6A71037DC26D4018717DB7C5FA7623B7E1D0B99748
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\vcredist_x64.exe	PE32 executable (GUI) Intel 80386, for MS Windows	689D09BCE45C75DB883DB7E78B6F4E9B	BA92A00F0F55DCAE85C1BBD098EFE606BD080B3C	814E9DA5EC5E5D6A8FA701999D1FC3BADDF7F3ADC528E202590E9B1CB73E4A11
C:\Users\user\AppData\Local\Temp\is-B2R1D.tmp\~execwithresult.txt	ASCII text, with CRLF line terminators	1620A078BA81DBB5AFFD2C0B678EB7F6	3ABCC647AB1798F4177045D491E10815424AA1F7	34DAF550002E9BCD22ADC72DE9F1AC2738224754A7FEBB3FFE9CC6694FD1B4D6
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\SETF815.tmp	PPD file, version "4.3"	8E4D52887A32ADB2DD7B7BE154386C9B	77FBE0E8C536C8674C024FE72B39625F5E7A443C	4C2196498AA1E5371A583FE716E99D4ECBD26140618F22882CF21022A93D2E53
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\SETF836.tmp	data	C1FA5D6107C00977E330349FFB07F380	C967B395AB4E4B26708F9A042DC255721D98D630	022980B4726628E2A304E74007D6ADE1C978493307B334497D91F9EEDD9417DB
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\SETF846.tmp	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\SETF867.tmp	PPD file, version "4.3"	4559236DAE31768C392B1793727C5941	E9703C30CE7CCE5FD0496C4C1BBC7A8CBBE123E6	EA22FE16B562BDDFDA46E3DD4B3AC830CE5F064929BCFF6B67DCDFC3E9D36821
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\pcglobal.cat (copy)	data	C1FA5D6107C00977E330349FFB07F380	C967B395AB4E4B26708F9A042DC255721D98D630	022980B4726628E2A304E74007D6ADE1C978493307B334497D91F9EEDD9417DB
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\pcglobal.inf (copy)	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\pcglobal.ppd (copy)	PPD file, version "4.3"	4559236DAE31768C392B1793727C5941	E9703C30CE7CCE5FD0496C4C1BBC7A8CBBE123E6	EA22FE16B562BDDFDA46E3DD4B3AC830CE5F064929BCFF6B67DCDFC3E9D36821
C:\Users\user\AppData\Local\Temp\{4744f51b-c3b4-8c45-9965-84928136fda2}\pcntns.ppd (copy)	PPD file, version "4.3"	8E4D52887A32ADB2DD7B7BE154386C9B	77FBE0E8C536C8674C024FE72B39625F5E7A443C	4C2196498AA1E5371A583FE716E99D4ECBD26140618F22882CF21022A93D2E53
C:\Windows\INF\oem4.inf	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Windows\INF\setupapi.dev.log	Generic INItialization configuration [BeginLog]	797061849F59DBDD29B72334BBB581BF	672D500A4C3177F256A554222543EF42CC5F56D5	224DAD36F52F1D9F64029DECB2FA911BE38571CDC5618A63E8647ABF9811F68F
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\SETF9DB.tmp	PPD file, version "4.3"	8E4D52887A32ADB2DD7B7BE154386C9B	77FBE0E8C536C8674C024FE72B39625F5E7A443C	4C2196498AA1E5371A583FE716E99D4ECBD26140618F22882CF21022A93D2E53
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\SETF9EB.tmp	data	C1FA5D6107C00977E330349FFB07F380	C967B395AB4E4B26708F9A042DC255721D98D630	022980B4726628E2A304E74007D6ADE1C978493307B334497D91F9EEDD9417DB
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\SETF9FC.tmp	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\SETFA0C.tmp	PPD file, version "4.3"	4559236DAE31768C392B1793727C5941	E9703C30CE7CCE5FD0496C4C1BBC7A8CBBE123E6	EA22FE16B562BDDFDA46E3DD4B3AC830CE5F064929BCFF6B67DCDFC3E9D36821
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcglobal.cat (copy)	data	C1FA5D6107C00977E330349FFB07F380	C967B395AB4E4B26708F9A042DC255721D98D630	022980B4726628E2A304E74007D6ADE1C978493307B334497D91F9EEDD9417DB
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcglobal.inf (copy)	Windows setup INFormation	0CBC2ED5B1CA87B0A57C2D3B8D24E96E	D88744C5FE576FC75AEB626351A479B36470D07D	C0E6231D40C609DD7AC1B0DD4D9FAAA784ECADA7F468D46B42A4AC818878A7F3
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcglobal.ppd (copy)	PPD file, version "4.3"	4559236DAE31768C392B1793727C5941	E9703C30CE7CCE5FD0496C4C1BBC7A8CBBE123E6	EA22FE16B562BDDFDA46E3DD4B3AC830CE5F064929BCFF6B67DCDFC3E9D36821
C:\Windows\System32\DriverStore\Temp\{db7c9079-64f3-cb4a-9c36-b79a3d2cd1fb}\pcntns.ppd (copy)	PPD file, version "4.3"	8E4D52887A32ADB2DD7B7BE154386C9B	77FBE0E8C536C8674C024FE72B39625F5E7A443C	4C2196498AA1E5371A583FE716E99D4ECBD26140618F22882CF21022A93D2E53
C:\Windows\System32\catroot2\dberr.txt	ASCII text, with CRLF line terminators	BD8E6BA45787B1798FFBC8D895CDE8E7	B109B43801E334B322A72A3D4B8A35AC6E4CCD5D	443C031CFF62AEAE66F5FB4E27B5D3C185BB1F851600C8901884AE6D5FEE48E9
C:\Windows\System32\spool\drivers\x64\3\pcntns.BPD	data	586B41B5F741245BC29384656C42A1EB	F35A9006FC321BF12F488CDC7C8DB658A8FE9616	BA667B5C32C55054ED353D519C7D78720276518EC9E6120C0182203D275A0CCD