Edit tour

Windows Analysis Report
AudioCodesAppSuite.exe

Overview

General Information

Sample name:	AudioCodesAppSuite.exe
Analysis ID:	1587822
MD5:	e8b8f253038fa8d6b0fc92e5e13bc185
SHA1:	2b453e43890063bfa80cbeafaf21128f17d43213
SHA256:	940a36dc38446f4a878b29474138bdf1c8e8faa59a680301456726f937eada80
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	50
Range:	0 - 100

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Creates multiple autostart registry keys

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables driver privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious MsiExec Embedding Parent

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

svchost.exe (PID: 6900 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AudioCodesAppSuite.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\AudioCodesAppSuite.exe" MD5: E8B8F253038FA8D6B0FC92E5E13BC185)

AudioCodesAppSuite.exe (PID: 7112 cmdline: "C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe" -burn.clean.room="C:\Users\user\Desktop\AudioCodesAppSuite.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652 MD5: 713FBE0DFE40D0F29D8EA60D5839AEC5)

AudioCodes App Suite_1.2.0.10.exe (PID: 2232 cmdline: "C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe" -q -burn.elevated BurnPipe.{1E7B6431-AA5E-4AB2-B188-5A5F27990A8C} {872B8E36-896D-4DA8-9A49-0AA90E513431} 7112 MD5: 713FBE0DFE40D0F29D8EA60D5839AEC5)

cmd.exe (PID: 2956 cmdline: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\custom_act.cmd" MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5} MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7136 cmdline: MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5} MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 6704 cmdline: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6200 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6440 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6496 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6532 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 4280 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6740 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

VSSVC.exe (PID: 4004 cmdline: C:\Windows\system32\vssvc.exe MD5: 875046AD4755396636A68F4A9EDB22A4)

svchost.exe (PID: 5192 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SrTasks.exe (PID: 3060 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6612 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4284 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 858F3915C070FC9440284D95BC84A9C8 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7076 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FD2693E6E89D476E86CC362884034874 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

system_ui.exe (PID: 4276 cmdline: "C:\Program Files\AudioCodes\DM Client\system_ui.exe" MD5: F8BEA85FE40413FE0E57F11551CBFA4D)

msiexec.exe (PID: 7128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 54E9FE486362F533840C69F5DAA10592 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1256 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 43B54B8776100830EC531CBAA63FEE6F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5864 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E548DB2F1D63A1C6E354125D869B28C1 MD5: 9D09DC1EDA745A5F87553048E57620CF)

ISBEW64.exe (PID: 5156 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BDEB247-9D01-48AA-ABCD-D87B5061EFBD} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 4928 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51D50112-ED8F-4781-BDCA-DB3DB9A2908F} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 3744 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19C0EDDD-2DE5-4E07-A4C2-F5F77C78BC0D} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 2124 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90BC320F-060E-42A7-886E-D73D1B212003} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 3780 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AEA6D95-DB36-4158-B832-24FAEA19FC8C} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 6332 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC96E7AD-7558-4DE6-B328-D7BE884EBB80} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 2116 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F07E5476-CA61-4057-8CFC-0691175DB699} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 1420 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BC0D5A7-F5BF-407C-9C58-6BECD74CE13D} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 644 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B31811A-1B04-4DE5-8863-2A7DAB70B909} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 5836 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6B428F2-4071-4724-9233-C0B7B7431B5B} MD5: 0F316043BFD136A509347148D203D541)

ISBEW64.exe (PID: 1544 cmdline: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00529697-12CC-4FCF-B6DD-B652855A2BA0} MD5: 0F316043BFD136A509347148D203D541)

cmd.exe (PID: 6100 cmdline: cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 4204 cmdline: netsh advfirewall firewall delete rule name="AudioCodes Device Duo" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

msiexec.exe (PID: 1444 cmdline: C:\Windows\System32\MsiExec.exe -Embedding EF35E424742556F3A46DACF60A0CE384 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)

sc.exe (PID: 1392 cmdline: sc.exe failure "AcDeviceDuo" reset= 0 actions= restart/60000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

emsc.exe (PID: 1600 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 5564 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

AudioCodes Camera Service.exe (PID: 4104 cmdline: "C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe" MD5: 53A7E7279304B5052571870208ADDD54)

emsc.exe (PID: 848 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 2476 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 3788 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 3736 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

svchost.exe (PID: 5060 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 1520 cmdline: DrvInst.exe "4" "1" "c:\program files (x86)\audiocodes\device duo\audiocodesb2goe_usb.inf" "9" "4a60a61bb" "00000000000000F4" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\audiocodes\device duo" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 5812 cmdline: DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:741f41b506a957ba:B2G_VirtualBusDriver_Device:1.3.6.5:root\b2g_virtualbusdriver," "4a60a61bb" "00000000000000F4" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

emsc.exe (PID: 5892 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 6208 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 400 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

emsc.exe (PID: 4412 cmdline: "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service MD5: 21A984BC0631FC7D70C6C606495E9C3D)

DeviceDuoService.exe (PID: 3824 cmdline: "C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe" MD5: A9DA4077A7050C3A2745F547E4BD0FC2)

DeviceDuoService.exe (PID: 1160 cmdline: "C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe" MD5: A9DA4077A7050C3A2745F547E4BD0FC2)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\AudioCodes\DM Client\system_ui.exe", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioCodes DM Client UI

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo", CommandLine: cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding E548DB2F1D63A1C6E354125D869B28C1, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 5864, ParentProcessName: msiexec.exe, ProcessCommandLine: cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo", ProcessId: 6100, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR, CommandLine: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe" -q -burn.elevated BurnPipe.{1E7B6431-AA5E-4AB2-B188-5A5F27990A8C} {872B8E36-896D-4DA8-9A49-0AA90E513431} 7112, ParentImage: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe, ParentProcessId: 2232, ParentProcessName: AudioCodes App Suite_1.2.0.10.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR, ProcessId: 6704, ProcessName: cmd.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Package Cache\{be54e699-bb8b-43bf-8829-09565d7525fb}\AudioCodes App Suite_1.2.0.10.exe" /burn.runonce, EventID: 13, EventType: SetValue, Image: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe, ProcessId: 2232, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{be54e699-bb8b-43bf-8829-09565d7525fb}

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6900, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: AudioCodesAppSuite.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gtest_main.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_cfg_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\acl_env_params.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\winport.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\scep.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\emsc.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libcrypto-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uv_app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ExportTrustedRootCAs.ps1
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_common.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\c_rehash.pl
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\httpc.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\openssl.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\HAL.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gmock_main.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libssl-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libuv_app_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\emsc_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libexpat.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\param_tool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\device_upgrade.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\system_ui.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libcurl.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_des3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gmock.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\text.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\device_management.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\inifile.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uv.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gtest.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_curl_tftp.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\test.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\curl.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\cares.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uriparser.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\syslog_msg.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\winport.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\libcrypto-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\libusb-1.0.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\uv_app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ExportTrustedRootCAs.ps1
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ac_common.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe.metagen
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\UsbDevCfg.ini
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\USBCameraTool.map
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtil.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x64.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\config.ini
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x86.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\HAL.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\hidapi.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcp100.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcr100.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\libexpat.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\objectfactory.json
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtCore4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\device_upgrade.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\WebCamLib.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ac_des3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\audio_analysis.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\text.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\device_management.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\tmp
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\tmp\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\logs
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\logs\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\snapshots
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\snapshots\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\inifile.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\uv.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\MicArrayFwUpdTool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\USBCameraConsoleTool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtild.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\cares.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\readme.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\syslog_msg.dll

Creates a software restore point

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9C73A861-DF15-4EB8-A20B-6696D7E153F9}

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\readme.txt

PE / OLE file has a valid certificate

Source: AudioCodesAppSuite.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: AudioCodesAppSuite.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\svchost.exe	File opened: d:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Networking

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: office.com

System Summary

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.sys

Creates files inside the driver directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\System32\DriverStore\FileRepository\audiocodesb2goe_usb.inf_amd64_0c42b9736d668426\audiocodesb2goe_usb.PNF

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1cb.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3AF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9C73A861-DF15-4EB8-A20B-6696D7E153F9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC47B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC49B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4EB.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC9A0.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICA2D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1ce.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1ce.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1cf.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{74CFF291-6D94-478F-890D-CECD25AAEB01}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID606.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID645.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDE35.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1d2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1d2.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\48c1d3.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEBF2.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC51.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{DE04E53C-AE5B-4630-AD95-5C63C3333027}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECCF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECDF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF84A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFE96.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}\ARPPRODUCTICON.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}\DeviceDuoControlle_69E583703C3349219962B37352964441.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\DriverStore\FileRepository\audiocodesb2goe_usb.inf_amd64_0c42b9736d668426\audiocodesb2goe_usb.PNF

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC3AF.tmp

Enables driver privileges

Source: C:\Windows\System32\msiexec.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Uses 32bit PE files

Source: AudioCodesAppSuite.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: mal56.evad.winEXE@89/132@1/10

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\AudioCodes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe

File created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\

Source: AudioCodesAppSuite.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe

File read: C:\Users\user\Desktop\AudioCodesAppSuite.exe

Source: unknown	Process created: C:\Users\user\Desktop\AudioCodesAppSuite.exe "C:\Users\user\Desktop\AudioCodesAppSuite.exe"
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe "C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe" -burn.clean.room="C:\Users\user\Desktop\AudioCodesAppSuite.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe "C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe" -burn.clean.room="C:\Users\user\Desktop\AudioCodesAppSuite.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe "C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe" -q -burn.elevated BurnPipe.{1E7B6431-AA5E-4AB2-B188-5A5F27990A8C} {872B8E36-896D-4DA8-9A49-0AA90E513431} 7112
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe "C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe" -q -burn.elevated BurnPipe.{1E7B6431-AA5E-4AB2-B188-5A5F27990A8C} {872B8E36-896D-4DA8-9A49-0AA90E513431} 7112
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\custom_act.cmd" MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5}
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5}
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 858F3915C070FC9440284D95BC84A9C8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FD2693E6E89D476E86CC362884034874 E Global\MSI0000
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\AudioCodes\DM Client\system_ui.exe "C:\Program Files\AudioCodes\DM Client\system_ui.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54E9FE486362F533840C69F5DAA10592
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 43B54B8776100830EC531CBAA63FEE6F E Global\MSI0000
Source: unknown	Process created: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe "C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe"
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E548DB2F1D63A1C6E354125D869B28C1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BDEB247-9D01-48AA-ABCD-D87B5061EFBD}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51D50112-ED8F-4781-BDCA-DB3DB9A2908F}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19C0EDDD-2DE5-4E07-A4C2-F5F77C78BC0D}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90BC320F-060E-42A7-886E-D73D1B212003}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AEA6D95-DB36-4158-B832-24FAEA19FC8C}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC96E7AD-7558-4DE6-B328-D7BE884EBB80}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F07E5476-CA61-4057-8CFC-0691175DB699}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BC0D5A7-F5BF-407C-9C58-6BECD74CE13D}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B31811A-1B04-4DE5-8863-2A7DAB70B909}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6B428F2-4071-4724-9233-C0B7B7431B5B}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00529697-12CC-4FCF-B6DD-B652855A2BA0}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="AudioCodes Device Duo"
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\custom_act.cmd" MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5}
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding EF35E424742556F3A46DACF60A0CE384 E Global\MSI0000
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\audiocodes\device duo\audiocodesb2goe_usb.inf" "9" "4a60a61bb" "00000000000000F4" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\audiocodes\device duo"
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Program Files\AudioCodes\DM Client\emsc.exe "C:\Program Files\AudioCodes\DM Client\emsc.exe" --service
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:741f41b506a957ba:B2G_VirtualBusDriver_Device:1.3.6.5:root\b2g_virtualbusdriver," "4a60a61bb" "00000000000000F4"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure "AcDeviceDuo" reset= 0 actions= restart/60000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe "C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 858F3915C070FC9440284D95BC84A9C8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FD2693E6E89D476E86CC362884034874 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\AudioCodes\DM Client\system_ui.exe "C:\Program Files\AudioCodes\DM Client\system_ui.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 54E9FE486362F533840C69F5DAA10592
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 43B54B8776100830EC531CBAA63FEE6F E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E548DB2F1D63A1C6E354125D869B28C1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding EF35E424742556F3A46DACF60A0CE384 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure "AcDeviceDuo" reset= 0 actions= restart/60000
Source: unknown	Process created: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe "C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BDEB247-9D01-48AA-ABCD-D87B5061EFBD}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51D50112-ED8F-4781-BDCA-DB3DB9A2908F}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19C0EDDD-2DE5-4E07-A4C2-F5F77C78BC0D}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90BC320F-060E-42A7-886E-D73D1B212003}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1AEA6D95-DB36-4158-B832-24FAEA19FC8C}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC96E7AD-7558-4DE6-B328-D7BE884EBB80}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F07E5476-CA61-4057-8CFC-0691175DB699}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BC0D5A7-F5BF-407C-9C58-6BECD74CE13D}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B31811A-1B04-4DE5-8863-2A7DAB70B909}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6B428F2-4071-4724-9233-C0B7B7431B5B}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00529697-12CC-4FCF-B6DD-B652855A2BA0}
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "1" "c:\program files (x86)\audiocodes\device duo\audiocodesb2goe_usb.inf" "9" "4a60a61bb" "00000000000000F4" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\audiocodes\device duo"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:741f41b506a957ba:B2G_VirtualBusDriver_Device:1.3.6.5:root\b2g_virtualbusdriver," "4a60a61bb" "00000000000000F4"

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: cabinet.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: msxml3.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: feclient.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: msimg32.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: explorerframe.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: textshaping.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: propsys.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: edputil.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: urlmon.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: srvcli.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: netutils.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: sspicli.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: appresolver.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: slc.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: userenv.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: sppc.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: msi.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: version.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: cabinet.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: msxml3.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: wldp.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: wintypes.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: srclient.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: spp.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: powrprof.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: vssapi.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: vsstrace.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: umpdc.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: usoapi.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: sxproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: feclient.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: iertutil.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: srpapi.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: netapi32.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: wkscli.dll
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: authz.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: es.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: catsrvut.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: mfcsubs.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\VSSVC.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: swprv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: apphelp.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: uv_app.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: httpc.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: device_management.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: app.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: text.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: uv.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: app.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: text.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: cares.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: device_management.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libcurl.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libexpat.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: winport.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: hal.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: inifile.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: winport.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: userenv.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libssl-1_1-x64.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libcrypto-1_1-x64.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libcrypto-1_1-x64.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: ac_des3.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: winport.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: libcrypto-1_1-x64.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: powrprof.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: umpdc.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: mswsock.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: msxml6.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: wpnapps.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: wintypes.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: rmclient.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: xmllite.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: usermgrcli.dll
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: mscoree.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: apphelp.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: uv.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: app.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: ac_common.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: text.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: userenv.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: libexpat.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: winport.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: hal.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: inifile.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: version.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: powrprof.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: umpdc.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: mswsock.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: mf.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: mfplat.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: mfcore.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: ksuser.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: rtworkq.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: devenum.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: winmm.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: devobj.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: msasn1.dll
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Section loaded: msdmo.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\UsbDevCfg.ini

Uses Rich Edit Controls

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gtest_main.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_cfg_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\acl_env_params.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\winport.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\scep.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\emsc.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libcrypto-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uv_app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ExportTrustedRootCAs.ps1
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_common.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\c_rehash.pl
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\httpc.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\openssl.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\HAL.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gmock_main.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libssl-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libuv_app_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\emsc_gtest.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libexpat.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\param_tool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\device_upgrade.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\system_ui.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\libcurl.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_des3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gmock.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\text.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\device_management.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\inifile.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uv.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\gtest.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\ac_curl_tftp.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\test.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\curl.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\cares.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\uriparser.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\DM Client\syslog_msg.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\winport.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\libcrypto-1_1-x64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\libusb-1.0.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\uv_app.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ExportTrustedRootCAs.ps1
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ac_common.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe.metagen
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\UsbDevCfg.ini
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\USBCameraTool.map
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtil.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x64.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\config.ini
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x86.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\HAL.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\hidapi.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcp100.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcr100.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\libexpat.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\objectfactory.json
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtCore4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\device_upgrade.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\WebCamLib.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\ac_des3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\audio_analysis.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\text.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\device_management.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\tmp
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\tmp\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\logs
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\logs\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\snapshots
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\snapshots\.gitignore
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\inifile.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\uv.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\MicArrayFwUpdTool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\USBCameraConsoleTool.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtild.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\cares.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\readme.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\AudioCodes\Camera Service\syslog_msg.dll

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9C73A861-DF15-4EB8-A20B-6696D7E153F9}

PE / OLE file has a valid certificate

Source: AudioCodesAppSuite.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: AudioCodesAppSuite.exe

Static file information: File size 25993192 > 1048576

PE file contains a mix of data directories often seen in goodware

Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AudioCodesAppSuite.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: AudioCodesAppSuite.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: AudioCodesAppSuite.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: AudioCodesAppSuite.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AudioCodesAppSuite.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AudioCodesAppSuite.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AudioCodesAppSuite.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AudioCodesAppSuite.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

PE file contains sections with non-standard names

Source: AudioCodesAppSuite.exe

Static PE information: section name: .wixburn

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	File created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoController.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC9A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\hidapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\httpc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\ac_cfg_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\ac_common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\gmock_main.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\libusb-1.0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\SET7954.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\gtest_main.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\VdiStates.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\winport.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\text.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\gmock.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\libexpat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.RichTextBox.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\BusControlLibrary.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\libuv_app_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\HAL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\ac_curl_tftp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\param_tool.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\acl_env_params.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	File created: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\openssl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\scep.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\uriparser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\uv_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Lync.Model.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\PairCodeGenerator.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\cares.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\test.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\emsc_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\syslog_msg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISBEW64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\gtest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\curl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\AudioCodes\DM Client\emsc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Office.Uc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\AudioCodes\Device Duo\LyncPcAudio.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	File created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3AF.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\SET7954.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC9A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIECDF.tmp	Jump to dropped file
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	File created: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEC51.tmp	Jump to dropped file

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\readme.txt

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AudioCodes DM Client UI
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AC.Device.Duo

Creates or modifies windows services

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes\DeviceDuo
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes\DeviceDuo\AudioCodes Device Duo.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes\DeviceDuo\Uninstall AudioCodes Device Duo.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes\DeviceDuo\~ninstall AudioCodes Device Duo.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AudioCodes\DeviceDuo\Uninstall AudioCodes Device Duo.lnk~RF498cdb.TMP

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {be54e699-bb8b-43bf-8829-09565d7525fb}
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {be54e699-bb8b-43bf-8829-09565d7525fb}
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {be54e699-bb8b-43bf-8829-09565d7525fb}
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {be54e699-bb8b-43bf-8829-09565d7525fb}
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AudioCodes DM Client UI
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AudioCodes DM Client UI
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AC.Device.Duo
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AC.Device.Duo

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\sc.exe sc.exe failure "AcDeviceDuo" reset= 0 actions= restart/60000

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\VSSVC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\AudioCodes\DM Client\system_ui.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Memory allocated: 1DE3F830000 memory reserve \| memory write watch
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Memory allocated: 1DE57AE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Memory allocated: 192E0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe

Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoController.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC9A0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\hidapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtil.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEC51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\httpc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\ac_cfg_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\gmock_main.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\ac_common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\libusb-1.0.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\SET7954.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\gtest_main.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\VdiStates.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIECDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\winport.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcp100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\text.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\gmock.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\libexpat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.RichTextBox.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{7E5FA71A-0657-4B39-8CA7-4C2F2802F98E}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\BusControlLibrary.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\libuv_app_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\ac_curl_tftp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\HAL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\param_tool.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\acl_env_params.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Dropped PE file which has not been started: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\openssl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\scep.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\uriparser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\uv_app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Lync.Model.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF8B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\PairCodeGenerator.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\test.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\app.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\emsc_gtest.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\syslog_msg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{DE04E53C-AE5B-4630-AD95-5C63C3333027}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.Unity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\gtest.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\AudioCodes\DM Client\curl.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Office.Uc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AudioCodes\Device Duo\LyncPcAudio.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 7000	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\SrTasks.exe TID: 1340	Thread sleep time: -290000s >= -30000s
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe TID: 1584	Thread sleep count: 326 > 30
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe TID: 5884	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File Volume queried: C:\Windows FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files\AudioCodes\DM Client\system_ui.exe "C:\Program Files\AudioCodes\DM Client\system_ui.exe"

Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe "C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe" -burn.clean.room="C:\Users\user\Desktop\AudioCodesAppSuite.exe" -burn.filehandle.attached=644 -burn.filehandle.self=652
Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Process created: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe "C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe" -q -burn.elevated BurnPipe.{1E7B6431-AA5E-4AB2-B188-5A5F27990A8C} {872B8E36-896D-4DA8-9A49-0AA90E513431} 7112
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\custom_act.cmd" MsiExec.exe /quiet /X {1ED60F87-9DD1-4A3A-9A7F-BAA708F6FFA5}
Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\ProgramData\Package Cache\1608BB75347CD8C40187E5F3C0A969ED73A98D51\cleaning_up_1.cmd" rd /s /q c:\PROGRA~2\AudioCodes\MTR
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure "AcDeviceDuo" reset= 0 actions= restart/60000

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	Queries volume information: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Queries volume information: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe VolumeInformation
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Queries volume information: C:\Program Files\AudioCodes\Camera Service\WebCamLib.dll VolumeInformation
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Queries volume information: C:\Program Files\AudioCodes\Camera Service\WebCamLib.dll VolumeInformation
Source: C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe	Queries volume information: C:\Program Files\AudioCodes\Camera Service\WebCamLib.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\AudioCodes\Device Duo\audiocodesb2goe_usb.cat VolumeInformation
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Queries volume information: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe VolumeInformation
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Queries volume information: C:\Program Files (x86)\AudioCodes\Device Duo\log4net.dll VolumeInformation
Source: C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	Queries volume information: C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.Unity.dll VolumeInformation

Source: C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.be\AudioCodes App Suite_1.2.0.10.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Modifies the windows firewall

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C netsh advfirewall firewall delete rule name="AudioCodes Device Duo"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name="AudioCodes Device Duo"

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	32 Windows Service	32 Windows Service	32 Masquerading	OS Credential Dumping	3 Security Software Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	111 Registry Run Keys / Startup Folder	11 Process Injection	311 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 LSASS Driver	111 Registry Run Keys / Startup Folder	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 LSASS Driver	11 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 DLL Side-Loading	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
AudioCodesAppSuite.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\Temp\{C5AB7AD0-8B6B-4A78-99F0-FC3C7E87CC9B}\.cr\AudioCodesAppSuite.exe	0%	ReversingLabs
C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\wixstdba.dll	0%	ReversingLabs
C:\Windows\Temp\{EE890EE3-7A5E-4021-87B7-D3F99EED8AB5}\.ba\wixstdba.dll	0%	Virustotal	Browse
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\UsbUtil.dll	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x64.exe	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\devcon-x86.exe	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\hidapi.dll	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\libusb-1.0.dll	2%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcp100.dll	0%	ReversingLabs
C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\msvcr100.dll	2%	ReversingLabs
C:\Program Files\AudioCodes\DM Client\emsc.exe	0%	ReversingLabs
C:\Program Files\AudioCodes\DM Client\system_ui.exe	0%	ReversingLabs
C:\Windows\Installer\MSIC3AF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC9A0.tmp	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.sys	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\BusControlLibrary.dll	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoController.exe	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\LyncPcAudio.dll	2%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Lync.Model.dll	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Office.Uc.dll	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.ServiceLocation.dll	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.Unity.dll	0%	ReversingLabs
C:\Program Files (x86)\AudioCodes\Device Duo\Newtonsoft.Json.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
office.com	13.107.6.156	true	false		high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.23.242.162	unknown	European Union		8781	QA-ISPQA	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587822
Start date and time:	2025-01-10 17:33:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	75
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	AudioCodesAppSuite.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@89/132@1/10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	363876
Entropy (8bit):	6.679904855815163
Encrypted:	false
SSDEEP:
MD5:	0A4CA5E3EED196887F3B33918E9FD76F
SHA1:	E455121150490C38C97C2DA6C0A6D9F19F7C804E
SHA-256:	257FEA328BA19F30AF623A77C4BEEDB1AD40DBCF1B62B2C7EFC5DA69C943B067
SHA-512:	ACBB2361DA36D628A9E16A4CFBC6F7E6FC55B57DFB377B8FD8A25DB3EDDDF4DD6D8742118C7B1DB216DBB2875198F2ADA5544AAD237C929FA35CB7BB46892DF6
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@X\*Z.@.....@.....@.....@.....@.....@......&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}..AudioCodes DM Client!.AudioCodes DM Client_1.2.0.10.msi.@.....@.....@.....@........&.{4A16C067-3D3A-48E9-90AF-DF5E841F98BF}.....@.....@.....@.....@.......@.....@.....@.......@......AudioCodes DM Client......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B23D3133-6A90-5F78-B046-85A553389C3A}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{47C03B18-8A62-58FB-B943-6B18ACFA9CDD}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{601E4BF1-19F0-5333-94FF-0EFDDE0BC483}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{34B3CFF6-2C43-549A-AB66-6A940A095F20}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{A0AFD448-AF43-5B3E-B592-398E2B2A5538}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{EB011603-F846-5B2A-8982-9473B5A3C282}&.{9C73A861-DF15-4EB8-A20B-6696D7E153F9}.@......&.{F79A7195-CD40-551C-8

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	151368
Entropy (8bit):	6.073319173988209
Encrypted:	false
SSDEEP:
MD5:	0F316043BFD136A509347148D203D541
SHA1:	9573614DEAA1FEC42A299752E0AD63174C85BD69
SHA-256:	081491C300116646E02FCA9982E69F663893E8B7B29708D2BAC2CE8DADEB245A
SHA-512:	99B28953A79A9AEA7F24A2ABE97B54384E2DA5D7D9D9A25E5301C83E432C97473ABC0263CFAE704650A255DD4C62A8940FB51D816E9EF06E55660CFED5D6FE60
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q..."..."..."..M"..."..["..."..J"..".@."...".@.".."..."u.."..D"..."..Z"...".._"..."Rich..."........................PE..d.....Q.........."......h....................@..........................................@..........................................................`..h....@..h....6..H.......x....................................................................................text...ng.......h.................. ..`.rdata...y.......z...l..............@..@.data...8?..........................@....pdata..h....@......................@..@.rsrc...h....`......................@..@.reloc...............0..............@..B........................................................................................................................................................................................................................................................

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2464
Entropy (8bit):	3.250005211702334
Encrypted:	false
SSDEEP:
MD5:	90290F165BC560FCF8F7278A6666505A
SHA1:	CC33A8E3E1691521C426C58BD610AB9214B289B7
SHA-256:	8B1A063A2F50FFFC51ECB86A8BBBC2D5437D4A53A0EA1D3C8F186D262E53CAD0
SHA-512:	1EE6159C84758284D4CAF6B51E2F50E5109392556CB0AC1AF2A29E322F01DD134D6AA9327EBF95D52A3B455EDC671E1D83CFA938D6794BD9F587866D6F786DAF
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 1.0. .. 2.0.2.5. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1732376
Entropy (8bit):	7.978059947674261
Encrypted:	false
SSDEEP:
MD5:	BF5257B2CE982CF3EA43B3B3377C6B3A
SHA1:	C1451F9268F62023824F5DC6BD025D62C1F7F7AB
SHA-256:	48AD1205D6834C4546D21BBF9C8EEEEEFDA388840D63D99A5A0836361F54C024
SHA-512:	B1F3428E096D8FAB6290EB9F5DA06A15AA1A211283615AB26F27FF6134214B07FDFE8EFC95A28F7EBEECB56B4A7CA12F8EDFDB5700AC5C73912C6EF057FAB8DD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0......................................................\f....@.........................................`................p..l!...`..,....,...C...........................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc.............................@..B........................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\AudioCodesAppSuite.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	583992
Entropy (8bit):	7.083589160362997
Encrypted:	false
SSDEEP:
MD5:	713FBE0DFE40D0F29D8EA60D5839AEC5
SHA1:	874751F62F9F7B5611075F28F3F4F28B2A5E1EF5
SHA-256:	5F7789D0920F4ADA4BD1C7B7AF0AE594E1D58953C88FBA52905B98588B2B93E6
SHA-512:	46B6CDE53B1990CBE8AE51223F9CDCA7E012E0AE96D5B09D813362CA8E1D3F5FF03E1FAD03022205BB109C02DB562973AB6F34A31E7383FA6EDC95998C6735C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.o.}k..}k..}k.....wk......k.....ek../...nk../...ik../...Vk..t...xk..t...lk..}k..(j......6k......\|k..}k...k......\|k..Rich}k..........PE..L...2p.].....................~......q.............@..........................P............@..............................................:..............@).......=..0p..T....................p.......j..@...................4\|.......................text............................... ..`.rdata..`...........................@..@.data...............................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...=.......>..................@..B........................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.073210744553412
Encrypted:	false
SSDEEP:
MD5:	656D246C6CE9A47F07EC793B6BB27F07
SHA1:	0C098838274F64DBB02500A68B855E6703DDDAF1
SHA-256:	77429FFF9C65F96BC190C4C14916423F0196A2A570970A095285364743172AF4
SHA-512:	9E47C89948CF63770F5E59B793B8625364C9F9B679B80B9CD821ABC9866C0BC23608AEEE9794AC45E547FF11BBD47DA7BDA640D72218507EE2FA9382A9419476
Malicious:	false
Reputation:	unknown
Preview:	..No rules match the specified criteria.....

Entrypoint:	0x42df71
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D807032 [Tue Sep 17 05:33:38 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	42d651751c1d75ed4fa8fe71751854ff

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	01/05/2023 02:00:00 06/05/2026 01:59:59
Subject Chain	CN=AudioCodes Ltd, O=AudioCodes Ltd, L=Tel Aviv-Yafo, C=IL, SERIALNUMBER=520044132, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IL
Version:	3
Thumbprint MD5:	118DE50C691406BB5B471B730AB7F2AB
Thumbprint SHA-1:	8DBCD8FCD62A4A6679565606E8DD7D96256E61CA
Thumbprint SHA-256:	3DB9F88F8D06ED2794FAAF89A5751A078D8190733CEF6AB1FCB6CA88812CE5B9
Serial:	0E6E2800F8865B7F6D49EA8D93BA825E

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x680b4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6d000	0x3a84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18c76a8	0x2940
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x3dd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67030	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x67084	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x66a10	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4a000	0x3e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x67c34	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x48ff7	0x49000	c66f549d5fc7d10a5f63350701c6b3f9	False	0.5367883133561644	data	6.572059575788497	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4a000	0x1f760	0x1f800	5a2f02dbbbda51cfac50fb52cea6d11b	False	0.30963231646825395	data	5.137524712720983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6a000	0x16fc	0xa00	8fe8ba25b04a7beb04c2ab2d5e9ea736	False	0.27265625	data	3.1551613029957557	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wixburn	0x6c000	0x38	0x200	aee7f6d3e6c462aa2a1df8c1620576ad	False	0.130859375	data	0.7382437744532455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6d000	0x3a84	0x3c00	9839863cbd53ac20286ff2c46bd0ca42	False	0.330859375	data	5.52925708426747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x3dd0	0x3e00	7cc10e0060080262550138057fd6b87d	False	0.8069556451612904	data	6.788270717274864	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6d178	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.43185920577617326
RT_MESSAGETABLE	0x6da20	0x2840	data	English	United States	0.28823757763975155
RT_GROUP_ICON	0x70260	0x14	data	English	United States	1.15
RT_VERSION	0x70274	0x33c	data	English	United States	0.428743961352657
RT_MANIFEST	0x705b0	0x4d2	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1174), with CRLF line terminators	English	United States	0.47568881685575365

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegQueryValueExW, RegDeleteValueW, CloseEventLog, OpenEventLogW, ReportEventW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, ControlService, OpenSCManagerW, OpenServiceW, QueryServiceStatus, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, QueryServiceConfigW
USER32.dll	PeekMessageW, PostMessageW, IsWindow, WaitForInputIdle, PostQuitMessage, GetMessageW, TranslateMessage, MsgWaitForMultipleObjects, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, LoadCursorW, LoadBitmapW, SetWindowLongW, GetWindowLongW, GetCursorPos, MessageBoxW, CreateWindowExW, UnregisterClassW, RegisterClassW, DefWindowProcW, DispatchMessageW
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, SysFreeString
GDI32.dll	DeleteDC, DeleteObject, SelectObject, StretchBlt, GetObjectW, CreateCompatibleDC
SHELL32.dll	CommandLineToArgvW, SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoUninitialize, CoInitializeEx, CoInitialize, StringFromGUID2, CoCreateInstance, CoTaskMemFree, CLSIDFromProgID, CoInitializeSecurity
KERNEL32.dll	GetCPInfo, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileW, GetProcAddress, LocalFree, HeapSetInformation, GetLastError, GetModuleHandleW, FormatMessageW, lstrlenA, lstrlenW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringW, Sleep, GetLocalTime, GetModuleFileNameW, ExpandEnvironmentStringsW, GetTempPathW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, CompareStringW, GetCurrentProcessId, WriteFile, SetFilePointer, LoadLibraryW, GetSystemDirectoryW, CreateFileA, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, FindClose, GetCommandLineA, GetCurrentDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, MoveFileExW, GetCurrentProcess, GetCurrentThreadId, InitializeCriticalSection, DeleteCriticalSection, ReleaseMutex, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CreateProcessW, GetVersionExW, VerSetConditionMask, FreeLibrary, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, GetNativeSystemInfo, GetModuleHandleExW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetCommandLineW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetUserDefaultUILanguage, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ReadFile, SetFilePointerEx, DuplicateHandle, InterlockedExchange, InterlockedCompareExchange, LoadLibraryExW, CreateEventW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, SetEvent, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CompareStringA, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, GetThreadLocale, FindFirstFileExW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, DecodePointer, WriteConsoleW, GetModuleHandleA, GlobalAlloc, GlobalFree, GetFileSizeEx, CopyFileW, VirtualAlloc, VirtualFree, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetSystemInfo, VirtualProtect, VirtualQuery, GetComputerNameW, SetCurrentDirectoryW, GetFileType, GetACP, ExitProcess, GetStdHandle, InitializeCriticalSectionAndSpinCount, SetLastError, RtlUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RaiseException, LoadLibraryExA
RPCRT4.dll	UuidCreate

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AudioCodesAppSuite.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Config.Msi\48c1cd.rbs

C:\Config.Msi\48c1d1.rbs

C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.inf

C:\Program Files (x86)\AudioCodes\Device Duo\AudioCodesB2GoE_USB.sys

C:\Program Files (x86)\AudioCodes\Device Duo\BusControlLibrary.dll

C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoController.exe

C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoController.exe.config

C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe

C:\Program Files (x86)\AudioCodes\Device Duo\DeviceDuoService.exe.config

C:\Program Files (x86)\AudioCodes\Device Duo\LyncPcAudio.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Lync.Model.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Office.Uc.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.ServiceLocation.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Microsoft.Practices.Unity.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Newtonsoft.Json.dll

C:\Program Files (x86)\AudioCodes\Device Duo\PairCodeGenerator.dll

C:\Program Files (x86)\AudioCodes\Device Duo\PcAppInfo.json

C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.RichTextBox.dll

C:\Program Files (x86)\AudioCodes\Device Duo\Telerik.WinControls.dll

C:\Program Files (x86)\AudioCodes\Device Duo\VdiStates.exe

C:\Program Files (x86)\AudioCodes\Device Duo\audiocodesb2goe_usb.cat

C:\Program Files (x86)\AudioCodes\Device Duo\log4net.dll

C:\Program Files (x86)\AudioCodes\Device Duo\log\Debuglog.txt

C:\Program Files (x86)\AudioCodes\Device Duo\log\Infolog.txt

C:\Program Files (x86)\AudioCodes\Device Duo\log\IsoLog.txt

C:\Program Files (x86)\AudioCodes\Device Duo\log\Warnlog.txt

C:\Program Files\AudioCodes\Camera Service\AudioCodes Camera Service.exe.metagen

C:\Program Files\AudioCodes\Camera Service\HAL.dll

C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\AudioFwUpgrade\UsbDevCfg.ini

C:\Program Files\AudioCodes\Camera Service\RXV90UpgradeTool\USBCameraConsoleTool\QtGui4.dll

Windows Analysis Report
AudioCodesAppSuite.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre