File name: | HPSupportSolutionsFramework-13.0.1.131.exe |
Full analysis: | https://app.any.run/tasks/2ce22dd6-1dfa-495d-9f9c-3bde1be66ebb |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | March 24, 2025, 03:57:09 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
MD5: | 2B66105D36CD3ACE271BA51F9130D227 |
SHA1: | DA9E1F8739DC5CA873A5282241656AE0C926BEC5 |
SHA256: | 1D80AE98533D9D46C323E0854EB334C047490C906AEC9E14910CF9360A5BFCD2 |
SSDEEP: | 98304:6mxyENGiMdXhTwK8p2tBslLuK3PEZ5HtAimOfmZO9610SrEAAx93i90LX1V5uBA1:4bo7Jdnb1Lck2oD0C+G3ISk |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2010:11:18 16:27:32+00:00 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 82944 |
InitializedDataSize: | 30208 |
UninitializedDataSize: | - |
EntryPoint: | 0x1373c |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 9.20.0.0 |
ProductVersionNumber: | 9.20.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Unicode |
CompanyName: | Igor Pavlov |
FileDescription: | 7z Setup SFX |
FileVersion: | 9.2 |
InternalName: | 7zS.sfx |
LegalCopyright: | Copyright (c) 1999-2010 Igor Pavlov |
OriginalFileName: | 7zS.sfx.exe |
ProductName: | 7-Zip |
ProductVersion: | 9.2 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
300 | "C:\Program Files\HP\HP Enabling Services\SysInfoCap.exe" | C:\Program Files\HP\HP Enabling Services\SysInfoCap.exe | services.exe | ||||||||||||
User: SYSTEM Company: HP Inc. Integrity Level: SYSTEM Version: 1.68.3814.0 Modules
| |||||||||||||||
516 | "C:\Program Files\HP\HP Enabling Services\AppHelperCap.exe" | C:\Program Files\HP\HP Enabling Services\AppHelperCap.exe | services.exe | ||||||||||||
User: SYSTEM Company: HP Inc. Integrity Level: SYSTEM Version: 1.68.3814.0 Modules
| |||||||||||||||
660 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
664 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | expand.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
736 | "C:\Program Files\HP\HP Enabling Services\BridgeCommunication.exe" 2e3eb950-d895-4351-bc79-7d993d0af23c Global\f42781ca-fb03-4381-b96a-b24bdd645db1 1488 | C:\Program Files\HP\HP Enabling Services\BridgeCommunication.exe | SysInfoCap.exe | ||||||||||||
User: admin Company: HP Inc. Integrity Level: MEDIUM Exit code: 3221225786 Version: 1.68.3814.0 Modules
| |||||||||||||||
896 | "C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\DiagsCap.exe" -remove | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\DiagsCap.exe | — | rundll32.exe | |||||||||||
User: admin Company: HP Inc. Integrity Level: HIGH Exit code: 0 Version: 1.68.3814.0 Modules
| |||||||||||||||
1088 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SysInfoCap.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1188 | .\HPSupportSolutionsFramework.exe | C:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exe | HPSupportSolutionsFramework-13.0.1.131.exe | ||||||||||||
User: admin Company: HP Inc. Integrity Level: HIGH Description: HPSupportSolutionsFramework Exit code: 0 Version: 13.0.1.131 Modules
| |||||||||||||||
1328 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | AppHelperCap.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1760 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | AppHelperCap.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (8116) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (8116) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (8116) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (6516) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (6516) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (6516) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (7376) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (7376) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (7376) BackgroundTransferHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (7820) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000BBB15AE1709CDB018C1E0000E8050000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1188 | HPSupportSolutionsFramework.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New.cab | — | |
MD5:— | SHA256:— | |||
6268 | HPSupportSolutionsFramework-13.0.1.131.exe | C:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exe.config | xml | |
MD5:EAF08CAB8FFC957035734BA744FF2147 | SHA256:C6D0ACE656D3D1884AD9C98611AF752F5437FA024F06F6C1F913558863188966 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AnalyticsService.dll | executable | |
MD5:4ED8D3AE32DD7FF8DE3DF74E1948C6A2 | SHA256:A2878E6759C7196244E56E682CDE4E388C305362433C6D61A8052936A962C29E | |||
6268 | HPSupportSolutionsFramework-13.0.1.131.exe | C:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exe | executable | |
MD5:36A8A7C589D7DFA375281159B01E7A2C | SHA256:CF6EBED6D72208273C7A80942D6ECAE99E52DCD1940117BC1F04A73F82AFE207 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppHelperCap_HPManifest.xml | xml | |
MD5:16F2AE17256BB887DF029D6D01A73E86 | SHA256:68C2B70CA9BBE66D9F57652B13FB18FC1CF7A4F20694BAC8F61F3DC54AA3C3A7 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\CameraService.dll | executable | |
MD5:AA5F32ED3DAAEE041AEF8A1B96BFEDA2 | SHA256:35CACD2269DAA2A8CA0B755AAB897A6BD10086AD867A44DECE05FCB4BA5EDE85 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppHelperCap_HPManifest.p7s | binary | |
MD5:D4890E46B3EAF57647617D89D6CFDF85 | SHA256:FD99B69343000B4A66A5AC5F68C49F2C18A5E218C81DADD561B2A81474787044 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppServiceProxy.dll | executable | |
MD5:36399CBF762CE821B05DDC01A1B6ED70 | SHA256:49B127E0BC271C4DD4F358BD89072070D8A222BEFF0AD7BD46FD44D818861A2F | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\concrt140.dll | executable | |
MD5:68D03F06720C6248AB3C8778E484A621 | SHA256:D0B60A01D68D9591ACB35779B3FC48A00CA2EAF76487391D994AD1E5C2777491 | |||
6264 | expand.exe | C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppServiceProxySDK.dll | executable | |
MD5:59DC7AC7DE1E6C06B45490FE0ED093F0 | SHA256:141F183E8F14C2F69046E6C3A131487A1BD960E985A9B087266A72EF88A95847 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7588 | msiexec.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
7588 | msiexec.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | whitelisted |
7588 | msiexec.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAbpuiiaKl1yl885KJpyr88%3D | unknown | — | — | whitelisted |
6872 | backgroundTaskHost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
6516 | BackgroundTransferHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
300 | SysInfoCap.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
8184 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
8184 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 40.126.32.134:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7588 | msiexec.exe | 2.23.77.188:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
6872 | backgroundTaskHost.exe | 20.223.36.55:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
arc.msn.com |
| whitelisted |
www.bing.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Process | Message |
---|---|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|
SysInfoCap.exe | Call complete. hResult = 0x80041010
|