File name:

HPSupportSolutionsFramework-13.0.1.131.exe

Full analysis: https://app.any.run/tasks/2ce22dd6-1dfa-495d-9f9c-3bde1be66ebb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: March 24, 2025, 03:57:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2B66105D36CD3ACE271BA51F9130D227

SHA1:

DA9E1F8739DC5CA873A5282241656AE0C926BEC5

SHA256:

1D80AE98533D9D46C323E0854EB334C047490C906AEC9E14910CF9360A5BFCD2

SSDEEP:

98304:6mxyENGiMdXhTwK8p2tBslLuK3PEZ5HtAimOfmZO9610SrEAAx93i90LX1V5uBA1:4bo7Jdnb1Lck2oD0C+G3ISk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • HPWPD.exe (PID: 4000)
    • Steals credentials from Web Browsers

      • HPWPD.exe (PID: 4000)
  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
    • Executable content was dropped or overwritten

      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
      • expand.exe (PID: 6264)
      • rundll32.exe (PID: 7908)
      • rundll32.exe (PID: 7968)
      • rundll32.exe (PID: 8024)
      • rundll32.exe (PID: 7380)
      • rundll32.exe (PID: 7748)
      • rundll32.exe (PID: 2340)
      • rundll32.exe (PID: 7800)
      • rundll32.exe (PID: 7724)
      • rundll32.exe (PID: 7480)
      • rundll32.exe (PID: 4784)
    • Reads the date of Windows installation

      • HPSupportSolutionsFramework.exe (PID: 1188)
    • Unpacks CAB file

      • expand.exe (PID: 6264)
    • Process drops legitimate windows executable

      • expand.exe (PID: 6264)
      • msiexec.exe (PID: 7820)
    • The process drops C-runtime libraries

      • expand.exe (PID: 6264)
      • rundll32.exe (PID: 7724)
      • msiexec.exe (PID: 7820)
    • Reads security settings of Internet Explorer

      • HPSupportSolutionsFramework.exe (PID: 1188)
      • BridgeCommunication.exe (PID: 736)
      • BridgeCommunication.exe (PID: 6244)
      • BridgeCommunication.exe (PID: 5008)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSSFUpdater.exe (PID: 4272)
    • Executes as Windows Service

      • VSSVC.exe (PID: 7444)
      • SysInfoCap.exe (PID: 300)
      • AppHelperCap.exe (PID: 516)
      • DiagsCap.exe (PID: 7420)
      • NetworkCap.exe (PID: 6436)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7820)
    • Searches for installed software

      • HPSupportSolutionsFramework.exe (PID: 1188)
  • INFO

    • Checks supported languages

      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
      • expand.exe (PID: 6264)
      • msiexec.exe (PID: 7860)
      • HPSupportSolutionsFramework.exe (PID: 1188)
      • msiexec.exe (PID: 7820)
      • msiexec.exe (PID: 7656)
      • AppHelperCap.exe (PID: 6676)
      • SysInfoCap.exe (PID: 7700)
      • DiagsCap.exe (PID: 896)
      • NetworkCap.exe (PID: 7968)
      • SysInfoCap.exe (PID: 2644)
      • AppHelperCap.exe (PID: 5164)
      • NetworkCap.exe (PID: 6048)
      • DiagsCap.exe (PID: 3956)
      • SysInfoCap.exe (PID: 300)
      • AppHelperCap.exe (PID: 516)
      • DiagsCap.exe (PID: 7420)
      • NetworkCap.exe (PID: 6436)
      • BridgeCommunication.exe (PID: 736)
      • BridgeCommunication.exe (PID: 6244)
      • BridgeCommunication.exe (PID: 5008)
      • HPDIA.exe (PID: 7964)
      • HPSSFUpdater.exe (PID: 7176)
      • HPWPD.exe (PID: 4000)
      • HPSSFUpdater.exe (PID: 4272)
    • The sample compiled with english language support

      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
      • expand.exe (PID: 6264)
      • rundll32.exe (PID: 7724)
      • msiexec.exe (PID: 7820)
    • Reads the computer name

      • HPSupportSolutionsFramework.exe (PID: 1188)
      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
      • msiexec.exe (PID: 7820)
      • msiexec.exe (PID: 7860)
      • msiexec.exe (PID: 7656)
      • NetworkCap.exe (PID: 7968)
      • AppHelperCap.exe (PID: 6676)
      • SysInfoCap.exe (PID: 7700)
      • DiagsCap.exe (PID: 896)
      • SysInfoCap.exe (PID: 2644)
      • AppHelperCap.exe (PID: 5164)
      • DiagsCap.exe (PID: 3956)
      • SysInfoCap.exe (PID: 300)
      • AppHelperCap.exe (PID: 516)
      • NetworkCap.exe (PID: 6436)
      • NetworkCap.exe (PID: 6048)
      • DiagsCap.exe (PID: 7420)
      • BridgeCommunication.exe (PID: 736)
      • BridgeCommunication.exe (PID: 6244)
      • BridgeCommunication.exe (PID: 5008)
      • HPDIA.exe (PID: 7964)
      • HPWPD.exe (PID: 4000)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSSFUpdater.exe (PID: 4272)
    • Reads the machine GUID from the registry

      • expand.exe (PID: 6264)
      • HPSupportSolutionsFramework.exe (PID: 1188)
      • msiexec.exe (PID: 7820)
      • AppHelperCap.exe (PID: 516)
      • NetworkCap.exe (PID: 6436)
      • SysInfoCap.exe (PID: 300)
      • DiagsCap.exe (PID: 7420)
      • BridgeCommunication.exe (PID: 736)
      • BridgeCommunication.exe (PID: 6244)
      • BridgeCommunication.exe (PID: 5008)
      • HPDIA.exe (PID: 7964)
      • HPWPD.exe (PID: 4000)
      • HPSSFUpdater.exe (PID: 4272)
      • HPSSFUpdater.exe (PID: 7176)
    • Create files in a temporary directory

      • HPSupportSolutionsFramework-13.0.1.131.exe (PID: 6268)
      • msiexec.exe (PID: 7588)
      • rundll32.exe (PID: 7908)
      • rundll32.exe (PID: 7968)
      • rundll32.exe (PID: 8024)
    • Creates files in the program directory

      • expand.exe (PID: 6264)
      • HPSupportSolutionsFramework.exe (PID: 1188)
      • rundll32.exe (PID: 7724)
      • NetworkCap.exe (PID: 6436)
      • HPSSFUpdater.exe (PID: 7176)
    • Reads the software policy settings

      • HPSupportSolutionsFramework.exe (PID: 1188)
      • msiexec.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 6516)
      • msiexec.exe (PID: 7820)
      • SysInfoCap.exe (PID: 300)
      • AppHelperCap.exe (PID: 516)
      • NetworkCap.exe (PID: 6436)
      • DiagsCap.exe (PID: 7420)
      • BridgeCommunication.exe (PID: 736)
      • BridgeCommunication.exe (PID: 5008)
      • BridgeCommunication.exe (PID: 6244)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSSFUpdater.exe (PID: 4272)
    • Process checks computer location settings

      • HPSupportSolutionsFramework.exe (PID: 1188)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSSFUpdater.exe (PID: 4272)
    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 8116)
      • BackgroundTransferHost.exe (PID: 7712)
      • BackgroundTransferHost.exe (PID: 6516)
      • BackgroundTransferHost.exe (PID: 7376)
      • BackgroundTransferHost.exe (PID: 7976)
      • rundll32.exe (PID: 7724)
      • rundll32.exe (PID: 7480)
    • Checks proxy server information

      • msiexec.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 6516)
      • BridgeCommunication.exe (PID: 736)
      • HPSSFUpdater.exe (PID: 4272)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSupportSolutionsFramework.exe (PID: 1188)
    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7588)
      • BackgroundTransferHost.exe (PID: 6516)
      • BridgeCommunication.exe (PID: 736)
      • HPWPD.exe (PID: 4000)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7588)
      • msiexec.exe (PID: 7820)
    • Manages system restore points

      • SrTasks.exe (PID: 660)
    • Reads Environment values

      • AppHelperCap.exe (PID: 516)
      • HPSSFUpdater.exe (PID: 7176)
      • HPSSFUpdater.exe (PID: 4272)
      • HPSupportSolutionsFramework.exe (PID: 1188)
    • Disables trace logs

      • HPSSFUpdater.exe (PID: 4272)
      • HPSupportSolutionsFramework.exe (PID: 1188)
      • HPSSFUpdater.exe (PID: 7176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:11:18 16:27:32+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 82944
InitializedDataSize: 30208
UninitializedDataSize: -
EntryPoint: 0x1373c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 9.20.0.0
ProductVersionNumber: 9.20.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Setup SFX
FileVersion: 9.2
InternalName: 7zS.sfx
LegalCopyright: Copyright (c) 1999-2010 Igor Pavlov
OriginalFileName: 7zS.sfx.exe
ProductName: 7-Zip
ProductVersion: 9.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
57
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start hpsupportsolutionsframework-13.0.1.131.exe sppextcomobj.exe no specs slui.exe hpsupportsolutionsframework.exe expand.exe conhost.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs vssvc.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe sysinfocap.exe no specs conhost.exe no specs apphelpercap.exe no specs conhost.exe no specs networkcap.exe no specs conhost.exe no specs diagscap.exe no specs conhost.exe no specs sysinfocap.exe no specs conhost.exe no specs apphelpercap.exe no specs conhost.exe no specs networkcap.exe no specs conhost.exe no specs diagscap.exe no specs conhost.exe no specs sysinfocap.exe apphelpercap.exe networkcap.exe diagscap.exe unsecapp.exe no specs bridgecommunication.exe bridgecommunication.exe no specs bridgecommunication.exe no specs rundll32.exe rundll32.exe hpdia.exe no specs hpwpd.exe hpssfupdater.exe hpssfupdater.exe hpsupportsolutionsframework-13.0.1.131.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files\HP\HP Enabling Services\SysInfoCap.exe"C:\Program Files\HP\HP Enabling Services\SysInfoCap.exe
services.exe
User:
SYSTEM
Company:
HP Inc.
Integrity Level:
SYSTEM
Version:
1.68.3814.0
Modules
Images
c:\program files\hp\hp enabling services\sysinfocap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
516"C:\Program Files\HP\HP Enabling Services\AppHelperCap.exe"C:\Program Files\HP\HP Enabling Services\AppHelperCap.exe
services.exe
User:
SYSTEM
Company:
HP Inc.
Integrity Level:
SYSTEM
Version:
1.68.3814.0
Modules
Images
c:\program files\hp\hp enabling services\apphelpercap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
660C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\spp.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeexpand.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files\HP\HP Enabling Services\BridgeCommunication.exe" 2e3eb950-d895-4351-bc79-7d993d0af23c Global\f42781ca-fb03-4381-b96a-b24bdd645db1 1488C:\Program Files\HP\HP Enabling Services\BridgeCommunication.exe
SysInfoCap.exe
User:
admin
Company:
HP Inc.
Integrity Level:
MEDIUM
Exit code:
3221225786
Version:
1.68.3814.0
Modules
Images
c:\program files\hp\hp enabling services\bridgecommunication.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
896"C:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\DiagsCap.exe" -removeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\DiagsCap.exerundll32.exe
User:
admin
Company:
HP Inc.
Integrity Level:
HIGH
Exit code:
0
Version:
1.68.3814.0
Modules
Images
c:\program files (x86)\hp\hp support framework\enabling services - new\diagscap.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSysInfoCap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188.\HPSupportSolutionsFramework.exeC:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exe
HPSupportSolutionsFramework-13.0.1.131.exe
User:
admin
Company:
HP Inc.
Integrity Level:
HIGH
Description:
HPSupportSolutionsFramework
Exit code:
0
Version:
13.0.1.131
Modules
Images
c:\users\admin\appdata\local\temp\7zsc3fe.tmp\hpsupportsolutionsframework.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAppHelperCap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeAppHelperCap.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
56 630
Read events
56 180
Write events
433
Delete events
17

Modification events

(PID) Process:(8116) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8116) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8116) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6516) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7376) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7376) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7376) BackgroundTransferHost.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7820) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000BBB15AE1709CDB018C1E0000E8050000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
255
Suspicious files
70
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
1188HPSupportSolutionsFramework.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New.cab
MD5:
SHA256:
6268HPSupportSolutionsFramework-13.0.1.131.exeC:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exe.configxml
MD5:EAF08CAB8FFC957035734BA744FF2147
SHA256:C6D0ACE656D3D1884AD9C98611AF752F5437FA024F06F6C1F913558863188966
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AnalyticsService.dllexecutable
MD5:4ED8D3AE32DD7FF8DE3DF74E1948C6A2
SHA256:A2878E6759C7196244E56E682CDE4E388C305362433C6D61A8052936A962C29E
6268HPSupportSolutionsFramework-13.0.1.131.exeC:\Users\admin\AppData\Local\Temp\7zSC3FE.tmp\HPSupportSolutionsFramework.exeexecutable
MD5:36A8A7C589D7DFA375281159B01E7A2C
SHA256:CF6EBED6D72208273C7A80942D6ECAE99E52DCD1940117BC1F04A73F82AFE207
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppHelperCap_HPManifest.xmlxml
MD5:16F2AE17256BB887DF029D6D01A73E86
SHA256:68C2B70CA9BBE66D9F57652B13FB18FC1CF7A4F20694BAC8F61F3DC54AA3C3A7
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\CameraService.dllexecutable
MD5:AA5F32ED3DAAEE041AEF8A1B96BFEDA2
SHA256:35CACD2269DAA2A8CA0B755AAB897A6BD10086AD867A44DECE05FCB4BA5EDE85
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppHelperCap_HPManifest.p7sbinary
MD5:D4890E46B3EAF57647617D89D6CFDF85
SHA256:FD99B69343000B4A66A5AC5F68C49F2C18A5E218C81DADD561B2A81474787044
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppServiceProxy.dllexecutable
MD5:36399CBF762CE821B05DDC01A1B6ED70
SHA256:49B127E0BC271C4DD4F358BD89072070D8A222BEFF0AD7BD46FD44D818861A2F
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\concrt140.dllexecutable
MD5:68D03F06720C6248AB3C8778E484A621
SHA256:D0B60A01D68D9591ACB35779B3FC48A00CA2EAF76487391D994AD1E5C2777491
6264expand.exeC:\Program Files (x86)\HP\HP Support Framework\Enabling services - New\AppServiceProxySDK.dllexecutable
MD5:59DC7AC7DE1E6C06B45490FE0ED093F0
SHA256:141F183E8F14C2F69046E6C3A131487A1BD960E985A9B087266A72EF88A95847
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
49
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7588
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7588
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7588
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAbpuiiaKl1yl885KJpyr88%3D
unknown
whitelisted
6872
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6516
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
300
SysInfoCap.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
8184
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8184
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7588
msiexec.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6872
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
  • 2.16.164.72
  • 2.16.164.120
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.72
  • 20.190.160.130
  • 20.190.160.5
  • 40.126.32.136
  • 40.126.32.76
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.170
  • 104.126.37.131
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
Process
Message
SysInfoCap.exe
Call complete. hResult = 0x80041010
SysInfoCap.exe
Call complete. hResult = 0x80041010
SysInfoCap.exe
Call complete. hResult = 0x80041010
SysInfoCap.exe
Call complete. hResult = 0x80041010
SysInfoCap.exe
Call complete. hResult = 0x80041010
SysInfoCap.exe
Call complete. hResult = 0x80041010