Windows Analysis Report
WIN_DCA_2.4.0.10654_sursvc_qh.msi

Overview

General Information

Sample name: WIN_DCA_2.4.0.10654_sursvc_qh.msi
Analysis ID: 1426571
MD5: b9f88ef2f1b7956089e35f6762bbc494
SHA1: 420fa60ca04273bfba651402ebd1c60eba856114
SHA256: 3327e76ccdbb5b796da1ed96009345d60904f94102609854a2894439b0c711fc
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

.NET source code contains very large strings
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\base_library.zip Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\cacert.pem Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP\Config.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\config.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\config_api.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ctypes.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_decimal.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_elementtree.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_watcher_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DSADcaIntegration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CrashLogAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\etw_options_config.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayStateAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\IntelFgndAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DriverDetection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_hw_config.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_heartbeat_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\PhatAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CSMEAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HWPowerStatsTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link_helper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\TextExtractorAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\WifiAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_os_counters.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DttEtlAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.inf Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\AnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\FPSAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_options.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_daq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\libcrypto-3-x64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_crashlog_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\EntityFramework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_modeler.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_thread_monitor.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_hw_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_system_power_state_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_sur_sysprep.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sql_logger.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_acpi_battery_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\pl_agent_lib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\apptable.csv Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HeartBeatAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\analyzer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\AudioAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sqlite3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_fps_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_foreground_window_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\devices_use_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\NetworkBandwidthAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_desktop_mapper_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DSACoreInterop64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\policy.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DevUseAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HWMetaTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_wifi_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_os_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_user_waiting_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SleepStudyAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BatteryAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\FgndBackgrndAppsAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CapiEtlAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_eqs.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSSystemAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_phat_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_csme_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Common.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BoundnessEventsAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\EventLogCollection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\SQLite.Interop.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_display_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.inf Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Config.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\IntelSoftwareAssetManagerService.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_etw_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\lookup.zip Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\GenericSqlATLSupport.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_audio_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemUsageByFgndAppAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BrowserHistoryAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\ProcessAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_extractor.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\UserWaitTimeAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.EF6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\installer.bat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\process_input_options.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_hashlib.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libcrypto-3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libffi-8.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libssl-3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\licenses.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\logging_config.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_lzma.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_multiprocessing.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\perfmon.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pyexpat.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\python311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pythoncom311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pywintypes311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_queue.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\ScheduleUpdates.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\select.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\servicemanager.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\shell_executor.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_socket.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ssl.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\unicodedata.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64\UpdateServiceProxy64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\VCRUNTIME140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32api.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32event.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32evtlog.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32file.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32inet.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32pipe.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32process.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32profile.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32security.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32service.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\_win32sysloader.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32trace.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32ts.pyd Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Directory created: C:\Program Files\Intel\SUR\ICIP\SURV8_ICIP.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\licenses.txt Jump to behavior
Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb0 source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI234B.tmp.1.dr, MSI231B.tmp.1.dr, MSI227E.tmp.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.1.3 19 Sep 20233.1.3built on: Tue Sep 19 20:46:09 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lockcrypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: crypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\initthread.ccrypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdupcrypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sepcrypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_paramossl_param_build_set_bn_padcrypto\param_build_set.ccopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNOSSL
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: _multiprocessing.pyd.1.dr
Source: Binary string: D:\a\1\b\libssl-3.pdbFF source: libssl-3.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_svc\esrv_svc.pdbNN,NGCTL source: esrv_svc.exe.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_user_waiting\intel_user_waiting_input.pdb** source: intel_user_waiting_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32ts.pdb source: win32ts.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-3.dll.1.dr, libcrypto-3-x64.dll.1.dr
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32trace.pdb source: win32trace.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_lib\esrv_lib.pdb source: esrv_lib.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_user_waiting\intel_user_waiting_input.pdb source: intel_user_waiting_input.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\intel_sur_sysprep\intel_sur_sysprep.pdb source: intel_sur_sysprep.dll.1.dr
Source: Binary string: c:\ium\dev\installer\custom_action\SetPermissions\SetPermissions.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: System.Data.SQLite.EF6.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_foreground_window\intel_foreground_window_input.pdb source: intel_foreground_window_input.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_os\intel_os_input.pdb++ source: intel_os_input.dll.1.dr
Source: Binary string: C:\ium\dev\installer\custom_action\SetEulaStatus\SetEulaStatus.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_lib\esrv_lib.pdb11 source: esrv_lib.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32event.pdb source: win32event.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_hw\intel_hw_input.pdb source: intel_hw_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32profile.pdb source: win32profile.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\pywintypes.pdb source: pywintypes311.dll.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x64\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI2513.tmp.1.dr, MSI235C.tmp.1.dr, MSI231B.tmp.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\productivity_link\productivity_link.pdb source: productivity_link.dll.1.dr
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: unicodedata.pyd.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:32:59 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files (x86)\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;os-specificC:\Program Files (x86)\Common Files\SSLC:\Program Files (x86)\OpenSSL\lib\ossl-modules.dll..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: libcrypto-3.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\pywintypes.pdb** source: pywintypes311.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32api.pdb source: win32api.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_os\intel_os_input.pdb source: intel_os_input.dll.1.dr
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_hw\intel_hw_input.pdb44 source: intel_hw_input.dll.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb$ source: System.Data.SQLite.EF6.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\productivity_link_helper\productivity_link_helper.pdb source: productivity_link_helper.dll.1.dr
Source: Binary string: C:\ium\client\installer\custom_action\UpgradeEvidence\UpgradeEvidence.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI234B.tmp.1.dr, MSI231B.tmp.1.dr, MSI227E.tmp.1.dr
Source: Binary string: c:\VagrantDir\ium-client-mst\installer\custom_action\ScheduleUpdates\ScheduleUpdates.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.1.dr
Source: Binary string: e:\build_agent\workspace\laternrock_crashlog-win_main\Src\bin\x64\Release Static\crashlog_extractor.pdb source: crashlog_extractor.exe.1.dr
Source: Binary string: R:\sqlite\sqlite3.pdb source: sqlite3.dll.1.dr
Source: Binary string: C:\github\dca\openssl\libcrypto-3-x64.pdb source: libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_svc\esrv_svc.pdb source: esrv_svc.exe.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: System.Data.SQLite.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32security.pdb source: win32security.pyd.1.dr
Source: Binary string: e:\build_agent\workspace\laternrock_crashlog-win_main\Src\bin\x64\Release Static\crashlog_extractor.pdb2 source: crashlog_extractor.exe.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_foreground_window\intel_foreground_window_input.pdb++ source: intel_foreground_window_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32file.pdb source: win32file.pyd.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\perfmon.pdb source: perfmon.pyd.1.dr
Source: Binary string: D:\a\1\b\libssl-3.pdb source: libssl-3.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Code function: 4x nop then jmp 00007FFD9B4109FFh 16_2_00007FFD9B4109C7
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Code function: 4x nop then jmp 00007FFD9B411162h 16_2_00007FFD9B4110C5
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: licenses.txt.1.dr String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: licenses.txt.1.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: http://ocsp.sectigo.com0#
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: http://wixtoolset.org
Source: licenses.txt.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi String found in binary or memory: http://www.intel.com/privacy
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi String found in binary or memory: http://www.opensource.org).
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: sqlite3.dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SurConsent.exe, 00000010.00000002.2930982783.0000016C7B122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: licenses.txt.1.dr String found in binary or memory: https://github.com/jquery/globalize
Source: licenses.txt.1.dr String found in binary or memory: https://github.com/jquery/jquery
Source: win32security.pyd.1.dr, win32trace.pyd.1.dr, perfmon.pyd.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, win32profile.pyd.1.dr, win32api.pyd.1.dr, win32file.pyd.1.dr, pywintypes311.dll.1.dr String found in binary or memory: https://github.com/mhammond/pywin32
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://intel.com/privacy
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C00288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://intel.com/privacy.
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://intel.fr/privacy.
Source: licenses.txt.1.dr String found in binary or memory: https://jquery.org/
Source: licenses.txt.1.dr String found in binary or memory: https://js.foundation/
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policy.system-usage-report.
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policy.system-usage-report.intel.com/faq/
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, intel_hw_input.dll.1.dr, win32security.pyd.1.dr, libssl-3.dll.1.dr, crashlog_extractor.exe.1.dr, BatteryAnalyzerTask.dll.1.dr, win32trace.pyd.1.dr, DevUseAnalyzerTask.dll.1.dr, perfmon.pyd.1.dr, _multiprocessing.pyd.1.dr, CSMEAnalyzerTask.dll.1.dr, intel_os_input.dll.1.dr, libcrypto-3.dll.1.dr, win32ts.pyd.1.dr, win32event.pyd.1.dr, Config.dll0.1.dr, ProcessAnalyzerTask.dll.1.dr, HeartBeatAnalyzerTask.dll.1.dr, win32profile.pyd.1.dr, HWMetaTask.dll.1.dr, SurSvc.exe.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: System.Data.SQLite.EF6.dll.1.dr, System.Data.SQLite.dll.1.dr String found in binary or memory: https://system.data.sqlite.org/
Source: System.Data.SQLite.dll.1.dr String found in binary or memory: https://system.data.sqlite.org/X
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.co.jp/content/www/jp/ja/privacy/in
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.co.jp/content/www/jp/ja/privacy/intel-privacy-notice.html)
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.co.jp/content/www/jp/ja/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.co.kr/content/www/kr/ko/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com.br/content/www
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com.br/content/www/br/pt/privacy/intel-privacy-notice.html.
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com.br/content/www/br/pt/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com.tr/content/www/tr/tr/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/cn/zh/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/id/id/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/it/it/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/pl/pl/support/topics/idsa-cip.html.
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/ru/ru/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/th/th/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/tw/zh/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: https://www.intel.com/content/www/tw/zh/support/topics/idsa-cip.htmlH
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi String found in binary or memory: https://www.intel.com/content/www/us/en/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp, WIN_DCA_2.4.0.10654_sursvc_qh.msi String found in binary or memory: https://www.intel.com/content/www/us/en/support/topics/idsa-cip.html.
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/us/en/support/topics/idsa-cip.html8
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.com/content/www/vn/vi/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.de/content/www/de/de/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.es/content/www/es/es/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.eu/content/www/eu/en/privacy/intel-privacy-notice.html
Source: SurConsent.exe, 00000010.00000000.1904113870.0000016C77915000.00000002.00000001.01000000.00000004.sdmp, SurConsent.exe, 00000010.00000002.2928889066.0000016C0017B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.fr/content/www/fr/fr/support/topics/idsa-cip.html
Source: SurConsent.exe, 00000010.00000002.2928889066.0000016C0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.intel.it/content/www/it/it/privacy/intel-privacy-notice.html.
Source: libssl-3.dll.1.dr, libcrypto-3.dll.1.dr, libcrypto-3-x64.dll.1.dr String found in binary or memory: https://www.openssl.org/H
Source: System.Data.SQLite.EF6.dll.1.dr String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: System.Data.SQLite.EF6.dll.1.dr String found in binary or memory: https://www.sqlite.org/lang_corefunc.html
Source: System.Data.SQLite.dll.1.dr String found in binary or memory: https://www.sqlite.org/see

System Summary
barindex
.NET source code contains very large strings
Source: ProcessAnalyzerTask.dll.1.dr, ProcessAnalyzerTask.cs Long String: Length: 10957
Creates driver files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5c1378.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI21C1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI226E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI227E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{4DF8D37E-055A-49B8-9317-305ECD1B9D1F} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI231B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI234B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI235C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24C4.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2513.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25D0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI26AC.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI271A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27B7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2855.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\Registry Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData\downloads Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData\history Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData\update_events Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData\persisted_updates Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\AppData\captured_logs Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_atomic_wait.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI38D0.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI21C1.tmp Jump to behavior
PE file does not import any functions
Source: DSADcaIntegration.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Binary or memory string: OriginalFilenameuica.dll\ vs WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Binary or memory string: OriginalFilenamewixca.dll\ vs WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Binary or memory string: OriginalFilenameServiceO.dll\ vs WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Binary or memory string: OriginalFilenameScheduleUpdates.dll` vs WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Binary or memory string: OriginalFilenamewixca.dllL vs WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: GenericSqlATLSupport.dll.1.dr, GenericSQLAnalyzerTask.cs Task registration methods: 'CreateValidSessionTableAndAnalysisInterval'
Source: DSADcaIntegration.dll.1.dr, FileSystemController.cs Security API names: System.IO.FileInfo.GetAccessControl()
Source: DSADcaIntegration.dll.1.dr, FileSystemController.cs Security API names: System.IO.DirectoryInfo.GetAccessControl()
Source: DSADcaIntegration.dll.1.dr, FileSystemController.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
Source: DSADcaIntegration.dll.1.dr, FileSystemController.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.SecurityIdentifier)
Source: DSADcaIntegration.dll.1.dr, FileSystemSafetyController.cs Security API names: Directory.GetAccessControl
Source: DSADcaIntegration.dll.1.dr, FileSystemSafetyController.cs Security API names: Directory.GetAccessControl(directory).GetAccessRules
Source: DSADcaIntegration.dll.1.dr, FileSystemSafetyController.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: sus26.evad.winMSI@22/178@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFE2BAD0F3398D8842.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: sqlite3.dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: DisplayStateAnalyzerTask.dll.1.dr Binary or memory string: create table display_state_summary (measurement_time datetime, state varchar(255), session_id int, datatype int);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: BrowserHistoryAnalyzerTask.dll.1.dr Binary or memory string: create table if not exists visits(id INT, url INT, visit_time INT, from_visit INT, transition INT, segment_id INT, visit_duration INT, incremented_omnibox_typed_score NUM, user_key_idc_session_id INT); oError occured while merging browser history databases:
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\WIN_DCA_2.4.0.10654_sursvc_qh.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F1C809FEE972ABEAE39BB6DC6996D99E
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 594B08B14BB53DA353B7B8C7CFA5C9EA
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 848F5E5D5CCFC7A033F45D33B8DB52E8 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c cd "C:\Program Files\Intel\SUR\QUEENCREEK\" && if exist SurSvc.exe (start /b /wait /d "C:\Program Files\Intel\SUR\QUEENCREEK\" SurSvc.exe /uninstall)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c if exist "%PROGRAMDATA%\\Intel\\SharedData\\SDID" (del /f "%PROGRAMDATA%\\Intel\\SharedData\\SDID")
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "CMD" /C RMDIR /S /Q "C:\Program Files\Intel\SUR\QUEENCREEK\Updater\" && RMDIR /S /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\icacls.exe "C:\Windows\system32\icacls.exe" "C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe" /inheritance:r /grant:r SYSTEM:F Administrators:R Users:R
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe "C:\Program Files\Intel\SUR\ICIP\SurConsent.exe" -install
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F1C809FEE972ABEAE39BB6DC6996D99E Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 594B08B14BB53DA353B7B8C7CFA5C9EA Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 848F5E5D5CCFC7A033F45D33B8DB52E8 E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe "C:\Program Files\Intel\SUR\ICIP\SurConsent.exe" -install Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c cd "C:\Program Files\Intel\SUR\QUEENCREEK\" && if exist SurSvc.exe (start /b /wait /d "C:\Program Files\Intel\SUR\QUEENCREEK\" SurSvc.exe /uninstall) Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c if exist "%PROGRAMDATA%\\Intel\\SharedData\\SDID" (del /f "%PROGRAMDATA%\\Intel\\SharedData\\SDID") Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "CMD" /C RMDIR /S /Q "C:\Program Files\Intel\SUR\QUEENCREEK\Updater\" && RMDIR /S /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\icacls.exe "C:\Windows\system32\icacls.exe" "C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe" /inheritance:r /grant:r SYSTEM:F Administrators:R Users:R Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File written: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\config.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: I accept the terms in the License Agreement
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: Install
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Automated click: Accept
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\base_library.zip Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\cacert.pem Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP\Config.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\config.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\config_api.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ctypes.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_decimal.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_elementtree.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_watcher_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DSADcaIntegration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CrashLogAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\etw_options_config.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayStateAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\IntelFgndAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DriverDetection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_hw_config.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_heartbeat_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\PhatAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CSMEAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HWPowerStatsTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link_helper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\TextExtractorAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\WifiAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_os_counters.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DttEtlAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.inf Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\AnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\FPSAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_options.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_daq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\libcrypto-3-x64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_crashlog_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\EntityFramework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_modeler.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_thread_monitor.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_hw_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_system_power_state_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_sur_sysprep.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sql_logger.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_acpi_battery_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\pl_agent_lib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\apptable.csv Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HeartBeatAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\analyzer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\AudioAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sqlite3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_fps_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_foreground_window_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\devices_use_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\NetworkBandwidthAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_desktop_mapper_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DSACoreInterop64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\policy.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DevUseAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\HWMetaTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_wifi_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_os_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_user_waiting_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SleepStudyAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BatteryAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\FgndBackgrndAppsAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\CapiEtlAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sur_eqs.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSSystemAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_phat_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_csme_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Common.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BoundnessEventsAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\EventLogCollection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\SQLite.Interop.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_display_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.inf Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Config.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\IntelSoftwareAssetManagerService.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_etw_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\lookup.zip Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\GenericSqlATLSupport.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_audio_input.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemUsageByFgndAppAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\BrowserHistoryAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\ProcessAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll.config Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_extractor.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\UserWaitTimeAnalyzerTask.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.EF6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\installer.bat Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\process_input_options.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_hashlib.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libcrypto-3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libffi-8.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libssl-3.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\licenses.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\logging_config.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_lzma.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_multiprocessing.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\perfmon.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pyexpat.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\python311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pythoncom311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pywintypes311.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_queue.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\ScheduleUpdates.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\select.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\servicemanager.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\shell_executor.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_socket.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ssl.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\unicodedata.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64\UpdateServiceProxy64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\VCRUNTIME140.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32api.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32event.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32evtlog.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32file.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32inet.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32pipe.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32process.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32profile.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32security.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32service.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\_win32sysloader.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32trace.pyd Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32ts.pyd Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Directory created: C:\Program Files\Intel\SUR\ICIP\SURV8_ICIP.log Jump to behavior
Source: WIN_DCA_2.4.0.10654_sursvc_qh.msi Static file information: File size 24236032 > 1048576
Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: VCRUNTIME140.dll.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb0 source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI234B.tmp.1.dr, MSI231B.tmp.1.dr, MSI227E.tmp.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.1.3 19 Sep 20233.1.3built on: Tue Sep 19 20:46:09 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lockcrypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: crypto\init.cOPENSSL_init_cryptoOPENSSL_atexitcrypto\initthread.ccrypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdupcrypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sepcrypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_paramossl_param_build_set_bn_padcrypto\param_build_set.ccopy_integercrypto\params.cunsigned_from_signedgeneral_get_intgeneral_set_intgeneral_get_uintgeneral_set_uintOSSL_PARAM_get_int32OSSL_PARAM_set_int32OSSL_PARAM_get_uint32OSSL_PARAM_set_uint32OSSL_PARAM_get_int64OSSL_PARAM_set_int64OSSL_PARAM_get_uint64OSSL_PARAM_set_uint64OSSL_PARAM_get_BNOSSL_PARAM_set_BNOSSL
Source: Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: _multiprocessing.pyd.1.dr
Source: Binary string: D:\a\1\b\libssl-3.pdbFF source: libssl-3.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_svc\esrv_svc.pdbNN,NGCTL source: esrv_svc.exe.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_user_waiting\intel_user_waiting_input.pdb** source: intel_user_waiting_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32ts.pdb source: win32ts.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-3.dll.1.dr, libcrypto-3-x64.dll.1.dr
Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32trace.pdb source: win32trace.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_lib\esrv_lib.pdb source: esrv_lib.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_user_waiting\intel_user_waiting_input.pdb source: intel_user_waiting_input.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\intel_sur_sysprep\intel_sur_sysprep.pdb source: intel_sur_sysprep.dll.1.dr
Source: Binary string: c:\ium\dev\installer\custom_action\SetPermissions\SetPermissions.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb source: System.Data.SQLite.EF6.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_foreground_window\intel_foreground_window_input.pdb source: intel_foreground_window_input.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_os\intel_os_input.pdb++ source: intel_os_input.dll.1.dr
Source: Binary string: C:\ium\dev\installer\custom_action\SetEulaStatus\SetEulaStatus.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_lib\esrv_lib.pdb11 source: esrv_lib.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32event.pdb source: win32event.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_hw\intel_hw_input.pdb source: intel_hw_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32profile.pdb source: win32profile.pyd.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\pywintypes.pdb source: pywintypes311.dll.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x64\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI2513.tmp.1.dr, MSI235C.tmp.1.dr, MSI231B.tmp.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\productivity_link\productivity_link.pdb source: productivity_link.dll.1.dr
Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: unicodedata.pyd.1.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:32:59 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files (x86)\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;os-specificC:\Program Files (x86)\Common Files\SSLC:\Program Files (x86)\OpenSSL\lib\ossl-modules.dll..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: libcrypto-3.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\pywintypes.pdb** source: pywintypes311.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32api.pdb source: win32api.pyd.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_os\intel_os_input.pdb source: intel_os_input.dll.1.dr
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_hw\intel_hw_input.pdb44 source: intel_hw_input.dll.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.EF6.2015\Release\System.Data.SQLite.EF6.pdb$ source: System.Data.SQLite.EF6.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\productivity_link_helper\productivity_link_helper.pdb source: productivity_link_helper.dll.1.dr
Source: Binary string: C:\ium\client\installer\custom_action\UpgradeEvidence\UpgradeEvidence.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI234B.tmp.1.dr, MSI231B.tmp.1.dr, MSI227E.tmp.1.dr
Source: Binary string: c:\VagrantDir\ium-client-mst\installer\custom_action\ScheduleUpdates\ScheduleUpdates.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI231B.tmp.1.dr
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: WIN_DCA_2.4.0.10654_sursvc_qh.msi, MSI38D0.tmp.1.dr, MSI25D0.tmp.1.dr, MSI26AC.tmp.1.dr, MSI231B.tmp.1.dr
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: libcrypto-3.dll.1.dr
Source: Binary string: e:\build_agent\workspace\laternrock_crashlog-win_main\Src\bin\x64\Release Static\crashlog_extractor.pdb source: crashlog_extractor.exe.1.dr
Source: Binary string: R:\sqlite\sqlite3.pdb source: sqlite3.dll.1.dr
Source: Binary string: C:\github\dca\openssl\libcrypto-3-x64.pdb source: libcrypto-3-x64.dll.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\esrv_svc\esrv_svc.pdb source: esrv_svc.exe.1.dr
Source: Binary string: C:\dev\sqlite\dotnet\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: System.Data.SQLite.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32security.pdb source: win32security.pyd.1.dr
Source: Binary string: e:\build_agent\workspace\laternrock_crashlog-win_main\Src\bin\x64\Release Static\crashlog_extractor.pdb2 source: crashlog_extractor.exe.1.dr
Source: Binary string: C:\Jenkins\Workspace\BUILD\GitRepos\dca-infra\build_windows_mainline\il_intel_foreground_window\intel_foreground_window_input.pdb++ source: intel_foreground_window_input.dll.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\win32file.pdb source: win32file.pyd.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Source: Binary string: C:\src\pywin32\build\temp.win32-3.11\Release\perfmon.pdb source: perfmon.pyd.1.dr
Source: Binary string: D:\a\1\b\libssl-3.pdb source: libssl-3.dll.1.dr
Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3.1.dr
Binary contains a suspicious time stamp
Source: DSADcaIntegration.dll.1.dr Static PE information: 0xB9BEFE61 [Mon Oct 1 07:25:21 2068 UTC]
PE file contains an invalid checksum
Source: IntelSoftwareAssetManagerService.exe.1.dr Static PE information: real checksum: 0x4f104b should be: 0x4e7d4b
PE file contains sections with non-standard names
Source: crashlog_extractor.exe.1.dr Static PE information: section name: _RDATA
Source: libcrypto-3.dll.1.dr Static PE information: section name: .00cfg
Source: libssl-3.dll.1.dr Static PE information: section name: .00cfg
Source: python311.dll.1.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Code function: 16_2_00007FFD9B418CB5 push eax; iretd 16_2_00007FFD9B418CCD
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Code function: 16_2_00007FFD9B418C95 push eax; iretd 16_2_00007FFD9B418CCD

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.sys Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI227E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\EntityFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\shell_executor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DriverDetection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\PhatAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\IntelSoftwareAssetManagerService.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\TextExtractorAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24C4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32service.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pythoncom311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_atomic_wait.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_queue.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemUsageByFgndAppAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link_helper.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\VCRUNTIME140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pywintypes311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32evtlog.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_fps_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\EventLogCollection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\OSSystemAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\analyzer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\AudioAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI226E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sql_logger.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\HeartBeatAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_hw_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\HWMetaTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\CapiEtlAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\WifiAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32inet.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\devices_use_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DSACoreInterop64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\ScheduleUpdates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_desktop_mapper_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\IntelFgndAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_socket.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI26AC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_hashlib.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ssl.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_daq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_user_waiting_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_acpi_battery_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32security.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_foreground_window_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_phat_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\CrashLogAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pyexpat.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32process.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\FPSAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libcrypto-3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\SleepStudyAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32event.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_extractor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\BrowserHistoryAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sqlite3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_os_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_elementtree.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DttEtlAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\UserWaitTimeAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayStateAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\ProcessAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_heartbeat_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\CSMEAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_watcher_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI271A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DSADcaIntegration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32api.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\BatteryAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_csme_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\servicemanager.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI21C1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_system_power_state_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libffi-8.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Config.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32file.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32profile.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libssl-3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\BoundnessEventsAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI38D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\ICIP\Config.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_sur_sysprep.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\pl_agent_lib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\select.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_decimal.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI234B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\unicodedata.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\AnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_audio_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_etw_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_thread_monitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\FgndBackgrndAppsAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_display_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.EF6.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ctypes.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_wifi_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32ts.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_modeler.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64\UpdateServiceProxy64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\_win32sysloader.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\GenericSqlATLSupport.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\DevUseAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_lzma.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2855.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI235C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_crashlog_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_multiprocessing.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\HWPowerStatsTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\python311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32trace.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\perfmon.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32pipe.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2513.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\NetworkBandwidthAnalyzerTask.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI234B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI21C1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI227E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2855.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI235C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI25D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI24C4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI38D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_atomic_wait.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI26AC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI271A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2513.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI226E.tmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_atomic_wait.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\licenses.txt Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\icacls.exe "C:\Windows\system32\icacls.exe" "C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe" /inheritance:r /grant:r SYSTEM:F Administrators:R Users:R
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: esrv_svc.exe.1.dr Binary or memory string: WINE_GET_UNIX_FILE_NAME
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Memory allocated: 16C77C80000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Memory allocated: 16C796F0000 memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI227E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\EntityFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\shell_executor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DriverDetection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\PhatAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\IntelSoftwareAssetManagerService.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\TextExtractorAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI24C4.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\bertreader.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32service.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pythoncom311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_atomic_wait.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_queue.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vccorlib140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\SystemUsageByFgndAppAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\VCRUNTIME140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\productivity_link_helper.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pywin32_system32\pywintypes311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32evtlog.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_fps_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\EventLogCollection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\semav6msr64.sys Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DBAccessLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\OSSystemAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\analyzer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_codecvt_ids.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\AudioAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI226E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sql_logger.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\HeartBeatAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_hw_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\CapiEtlAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\HWMetaTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\WifiAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32inet.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\devices_use_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DSACoreInterop64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\ScheduleUpdates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_desktop_mapper_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\IntelFgndAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_socket.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI26AC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ssl.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_hashlib.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_daq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_user_waiting_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\vcruntime140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_acpi_battery_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32security.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\SystemPowerStateAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_phat_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_foreground_window_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\CrashLogAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\pyexpat.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32process.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\FPSAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libcrypto-3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\SleepStudyAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32event.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib_security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\crashlog_extractor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\BrowserHistoryAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_os_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\sqlite3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_elementtree.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DttEtlAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\UserWaitTimeAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DisplayStateAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI25D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_heartbeat_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\ProcessAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\CSMEAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_process_watcher_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\concrt140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI271A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_csme_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DSADcaIntegration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\BatteryAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32api.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI27B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\servicemanager.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI21C1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_system_power_state_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libffi-8.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Config.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32file.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32profile.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\libssl-3.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\BoundnessEventsAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI38D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\ICIP\Config.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_sur_sysprep.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\pl_agent_lib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\select.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_decimal.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\libcrypto-3-x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\unicodedata.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI234B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\AnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_audio_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_etw_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\E73D8FD4A5508B94397103E5DCB1D9F1\2.4.10654\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\OSPerfCounterAnalyzerTasks.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\SurSvc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\FgndBackgrndAppsAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_thread_monitor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_display_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.EF6.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_ctypes.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_wifi_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32ts.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_modeler.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\api\x64\UpdateServiceProxy64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\_win32sysloader.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\GenericSqlATLSupport.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\DevUseAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_lzma.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2855.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI235C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_lib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\intel_crashlog_input.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\_multiprocessing.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\HWPowerStatsTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\python311.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32trace.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\perfmon.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv_svc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\Updater\bin\win32\win32pipe.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2513.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\Intel\SUR\QUEENCREEK\NetworkBandwidthAnalyzerTask.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: esrv_svc.exe.1.dr Binary or memory string: VMware-
Source: esrv_svc.exe.1.dr Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe "C:\Program Files\Intel\SUR\ICIP\SurConsent.exe" -install Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c cd "C:\Program Files\Intel\SUR\QUEENCREEK\" && if exist SurSvc.exe (start /b /wait /d "C:\Program Files\Intel\SUR\QUEENCREEK\" SurSvc.exe /uninstall) Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c if exist "%PROGRAMDATA%\\Intel\\SharedData\\SDID" (del /f "%PROGRAMDATA%\\Intel\\SharedData\\SDID") Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe "CMD" /C RMDIR /S /Q "C:\Program Files\Intel\SUR\QUEENCREEK\Updater\" && RMDIR /S /Q "C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\Updater\" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\icacls.exe "C:\Windows\system32\icacls.exe" "C:\Program Files\Intel\SUR\QUEENCREEK\x64\esrv.exe" /inheritance:r /grant:r SYSTEM:F Administrators:R Users:R Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Program Files\Intel\SUR\ICIP\Config.dll VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Intel\SUR\ICIP\SurConsent.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1426571 Sample: WIN_DCA_2.4.0.10654_sursvc_qh.msi Startdate: 16/04/2024 Architecture: WINDOWS Score: 26 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 48 .NET source code contains very large strings 2->48 8 msiexec.exe 271 207 2->8         started        12 msiexec.exe 5 2->12         started        process3 file4 38 C:\Program Files\Intel\...\semav6msr64.sys, PE32+ 8->38 dropped 40 C:\Program Files\Intel\SUR\...\bertreader.sys, PE32+ 8->40 dropped 42 C:\Windows\Installer\MSI38D0.tmp, PE32 8->42 dropped 44 139 other files (none is malicious) 8->44 dropped 50 Sample is not signed and drops a device driver 8->50 14 msiexec.exe 8->14         started        16 SurConsent.exe 1 3 8->16         started        18 msiexec.exe 8->18         started        20 msiexec.exe 8->20         started        signatures5 process6 process7 22 cmd.exe 1 14->22         started        24 icacls.exe 1 14->24         started        26 cmd.exe 1 14->26         started        28 cmd.exe 1 14->28         started        process8 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started       
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true