File name:

Papercut.Smtp.Setup.exe

Full analysis: https://app.any.run/tasks/1e6907ca-89be-44e9-866a-456b6de17a82
Verdict: Malicious activity
Analysis date: April 26, 2024, 17:46:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

118564788379AFEB89377D807039890F

SHA1:

F332F0EE61E4D73918ECD043998B5139C20A9614

SHA256:

7B6161DDDDB5BE11D240AF6D035615456E6EAA03171DECDB2476E4523F5FBDC6

SSDEEP:

98304:nLbkHLWqniKHqvHOX/r1hP/go82BZ2AoSX0PMnPztdaIfLUD9hOnS4cK8TDKMLUg:0sdUQM9ntbUJjAKDFBWJWqGx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Papercut.Smtp.Setup.exe (PID: 3976)
      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Changes the autorun value in the registry

      • Papercut.Smtp.Setup.exe (PID: 820)

  • SUSPICIOUS

    • Starts itself from another location

      • Papercut.Smtp.Setup.exe (PID: 3976)
      • Papercut.Smtp.Setup.exe (PID: 3996)

    • Executable content was dropped or overwritten

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 3976)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Searches for installed software

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Reads security settings of Internet Explorer

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Reads the Internet Settings

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2044)

    • Creates a software uninstall entry

      • Papercut.Smtp.Setup.exe (PID: 820)

    • Reads settings of System Certificates

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Process drops legitimate windows executable

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Checks Windows Trust Settings

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

  • INFO

    • Checks supported languages

      • Papercut.Smtp.Setup.exe (PID: 3976)
      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)
      • wmpnscfg.exe (PID: 2284)

    • Reads the machine GUID from the registry

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Create files in a temporary directory

      • Papercut.Smtp.Setup.exe (PID: 3976)
      • Papercut.Smtp.Setup.exe (PID: 3996)

    • Reads the computer name

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)
      • wmpnscfg.exe (PID: 2284)

    • Creates files in the program directory

      • Papercut.Smtp.Setup.exe (PID: 820)

    • Checks proxy server information

      • Papercut.Smtp.Setup.exe (PID: 3996)

    • Reads the software policy settings

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Creates files or folders in the user directory

      • Papercut.Smtp.Setup.exe (PID: 3996)
      • Papercut.Smtp.Setup.exe (PID: 820)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:09:17 05:33:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 299008
InitializedDataSize: 263168
UninitializedDataSize: -
EntryPoint: 0x2df71
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.723.0
ProductVersionNumber: 1.0.723.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Changemaker Studios
FileDescription: Papercut SMTP
FileVersion: 1.0.723
InternalName: setup
LegalCopyright: Copyright (c) 2021 by Changemaker Studios
OriginalFileName: Papercut.Smtp.Setup.exe
ProductName: Papercut SMTP
ProductVersion: 1.0.723
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start papercut.smtp.setup.exe papercut.smtp.setup.exe papercut.smtp.setup.exe vssvc.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.be\Papercut.Smtp.Setup.exe" -q -burn.elevated BurnPipe.{21C112AA-A358-4FA1-B69A-7B3E396A44F9} {80506F9D-D2D1-4D75-9F0F-C6F6A92BDECE} 3996C:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.be\Papercut.Smtp.Setup.exe
Papercut.Smtp.Setup.exe
User:
admin
Company:
Changemaker Studios
Integrity Level:
HIGH
Description:
Papercut SMTP
Version:
1.0.723
Modules
Images
c:\users\admin\appdata\local\temp\{8496f0db-10aa-4cec-a730-cbd9706af0dd}\.be\papercut.smtp.setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2044C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2284"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3976"C:\Users\admin\AppData\Local\Temp\Papercut.Smtp.Setup.exe" C:\Users\admin\AppData\Local\Temp\Papercut.Smtp.Setup.exe
explorer.exe
User:
admin
Company:
Changemaker Studios
Integrity Level:
MEDIUM
Description:
Papercut SMTP
Version:
1.0.723
Modules
Images
c:\users\admin\appdata\local\temp\papercut.smtp.setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3996"C:\Users\admin\AppData\Local\Temp\{F64F42A5-60D4-4A1C-8F6A-C26DF2C2CAA8}\.cr\Papercut.Smtp.Setup.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\Papercut.Smtp.Setup.exe" -burn.filehandle.attached=152 -burn.filehandle.self=160 C:\Users\admin\AppData\Local\Temp\{F64F42A5-60D4-4A1C-8F6A-C26DF2C2CAA8}\.cr\Papercut.Smtp.Setup.exe
Papercut.Smtp.Setup.exe
User:
admin
Company:
Changemaker Studios
Integrity Level:
MEDIUM
Description:
Papercut SMTP
Version:
1.0.723
Modules
Images
c:\users\admin\appdata\local\temp\{f64f42a5-60d4-4a1c-8f6a-c26df2c2caa8}\.cr\papercut.smtp.setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
13 931
Read events
13 687
Write events
225
Delete events
19

Modification events

(PID) Process:(3996) Papercut.Smtp.Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3996) Papercut.Smtp.Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3996) Papercut.Smtp.Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3996) Papercut.Smtp.Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(820) Papercut.Smtp.Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000005C3AD5C80198DA013403000060030000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(820) Papercut.Smtp.Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000005C3AD5C80198DA013403000060030000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(820) Papercut.Smtp.Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(820) Papercut.Smtp.Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000A66BA9C90198DA013403000060030000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(820) Papercut.Smtp.Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000000CEABC90198DA013403000008090000E8030000010000000000000000000000DC805B18648FFD438ECB8C691D0CF4C20000000000000000
(PID) Process:(2044) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000EF5B2C90198DA01FC07000050070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
6
Suspicious files
10
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
820Papercut.Smtp.Setup.exeC:\System Volume Information\SPP\snapshot-2
MD5:
SHA256:
820Papercut.Smtp.Setup.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3976Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{F64F42A5-60D4-4A1C-8F6A-C26DF2C2CAA8}\.cr\Papercut.Smtp.Setup.exeexecutable
MD5:8B8E3A29D60B9C8A5859A21EA0C03454
SHA256:F2994AB5E017B7B6BA7AC24DB4DBC9DFF9B8C4D72D5002430B425BA59E37BCF2
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.ba\logo.pngimage
MD5:83C4663B5D7377D30390D085CA2F4593
SHA256:6323AC37CCB61D41A0E81303C4730F5F92C676BD8E1AABE847247BF93E0E713B
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.ba\BootstrapperApplicationData.xmlxml
MD5:AC2BECBFEACCBCF6128F99FE9938E64B
SHA256:E4AFB2AA55ED9A7EAAB230B20F041735D6FC31E5F286A12CB236702C0F50AC76
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.ba\thm.wxlxml
MD5:FC0DB4142556D3F38B0744A12F5F9D3D
SHA256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:502D8AA9432E7807FD428FB93D7099AC
SHA256:2D8A474BD24D367C09A54AEE3034DEF09EC25D6183E13CB83974C2FA71A47BE3
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\DownloadAndInvokeBootstrapperexecutable
MD5:8B9812BA27E12C79319D859E97955CA4
SHA256:A63D59B2AF0C7B2BE6984280386042A230DAB928E3B426D51A0AFB2EFF5F98E9
3996Papercut.Smtp.Setup.exeC:\Users\admin\AppData\Local\Temp\{8496F0DB-10AA-4CEC-A730-CBD9706AF0DD}\.ba\thm.xmlxml
MD5:C782782276C9B777DE65154AB442BED5
SHA256:C9278956FCD92C66D51D5DB42CEF5D2D85F8A8232E2BBC0670B0A1355F69E8EC
820Papercut.Smtp.Setup.exeC:\ProgramData\Package Cache\{333217d4-ef7e-4b28-b135-5d5181f0c9d2}\Papercut.Smtp.Setup.exeexecutable
MD5:8B8E3A29D60B9C8A5859A21EA0C03454
SHA256:F2994AB5E017B7B6BA7AC24DB4DBC9DFF9B8C4D72D5002430B425BA59E37BCF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
11
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
Papercut.Smtp.Setup.exe
GET
304
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e948317888637db8
unknown
unknown
3996
Papercut.Smtp.Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
unknown
3996
Papercut.Smtp.Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
820
Papercut.Smtp.Setup.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
unknown
820
Papercut.Smtp.Setup.exe
GET
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
820
Papercut.Smtp.Setup.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
unknown
820
Papercut.Smtp.Setup.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3996
Papercut.Smtp.Setup.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
unknown
3996
Papercut.Smtp.Setup.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
3996
Papercut.Smtp.Setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3996
Papercut.Smtp.Setup.exe
152.199.21.175:443
msedge.sf.dl.delivery.mp.microsoft.com
EDGECAST
DE
whitelisted
820
Papercut.Smtp.Setup.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
820
Papercut.Smtp.Setup.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 184.28.89.167
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.210
  • 173.222.108.226
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
crl.microsoft.com
  • 2.16.164.51
  • 2.16.164.42
  • 2.16.164.89
  • 2.16.164.83
  • 2.16.164.58
  • 2.16.164.34
  • 2.16.164.32
  • 2.16.164.81
  • 2.16.164.40
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Papercut.Smtp.Setup.exe