2343cb780d1a0c8543bb76c7c7586f9af957655ee20655871b85092b0ecbb055

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02/02/2024, 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autodesk License Patcher Uninstaller.exe
Size

225KB
MD5

8fdb0ed20826feb0512321dac91a93bd
SHA1

753d87a8f74fdb4cf9c9a8562ebb28eb0513ef17
SHA256

2343cb780d1a0c8543bb76c7c7586f9af957655ee20655871b85092b0ecbb055
SHA512

dd22e44ad19a54707c084b176ebdee9aeee426154c6b9f4c4ce911e80367100c1fdcba4b3a348c0a0b57557468baf9a2082a7eb42c83fcb8bacc83e0cc30504a
SSDEEP

3072:i3pox1w8FCoFjKej0u/Dt1XWhlPhoutuFLtVBjnmATFPJg:i58u8PFjcurvXUlPhoSuvfTZphg

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2276	netsh.exe
1256	netsh.exe
1072	netsh.exe
1176	netsh.exe
2804	netsh.exe
268	netsh.exe
2876	netsh.exe
976	netsh.exe
1760	netsh.exe
2172	netsh.exe
1408	netsh.exe
2540	netsh.exe
1884	netsh.exe
524	netsh.exe
1568	netsh.exe
1052	netsh.exe
2420	netsh.exe
2928	netsh.exe
580	netsh.exe
2400	netsh.exe
1576	netsh.exe
1980	netsh.exe
2032	netsh.exe
2436	netsh.exe
824	netsh.exe
396	netsh.exe
2032	netsh.exe
2372	netsh.exe
1640	netsh.exe
1816	netsh.exe
2204	netsh.exe
2160	netsh.exe
2488	netsh.exe
2500	netsh.exe
688	netsh.exe
1596	netsh.exe
916	netsh.exe
2144	netsh.exe
2400	netsh.exe
2964	netsh.exe
1020	netsh.exe
1072	netsh.exe
2680	netsh.exe
1772	netsh.exe
2616	netsh.exe
2172	netsh.exe
1772	netsh.exe
112	netsh.exe
1888	netsh.exe
2364	netsh.exe
2108	netsh.exe
2580	netsh.exe
2636	netsh.exe
1636	netsh.exe
776	netsh.exe
1824	netsh.exe
2608	netsh.exe
1988	netsh.exe
2920	netsh.exe
660	netsh.exe
1580	netsh.exe
2920	netsh.exe
1656	netsh.exe
2624	netsh.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1112-0-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/1112-10-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.Admin\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.Admin\shell\runas	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\.Admin\shell\runas\command	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2704	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2156	PING.EXE
2744	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 1112 wrote to memory of 2784	1112	Autodesk License Patcher Uninstaller.exe	28
PID 2784 wrote to memory of 2728	2784	cmd.exe	30
PID 2784 wrote to memory of 2728	2784	cmd.exe	30
PID 2784 wrote to memory of 2728	2784	cmd.exe	30
PID 2784 wrote to memory of 2728	2784	cmd.exe	30
PID 2784 wrote to memory of 2696	2784	cmd.exe	31
PID 2784 wrote to memory of 2696	2784	cmd.exe	31
PID 2784 wrote to memory of 2696	2784	cmd.exe	31
PID 2784 wrote to memory of 2696	2784	cmd.exe	31
PID 2784 wrote to memory of 2704	2784	cmd.exe	32
PID 2784 wrote to memory of 2704	2784	cmd.exe	32
PID 2784 wrote to memory of 2704	2784	cmd.exe	32
PID 2784 wrote to memory of 2704	2784	cmd.exe	32
PID 2784 wrote to memory of 2580	2784	cmd.exe	33
PID 2784 wrote to memory of 2580	2784	cmd.exe	33
PID 2784 wrote to memory of 2580	2784	cmd.exe	33
PID 2784 wrote to memory of 2580	2784	cmd.exe	33
PID 2784 wrote to memory of 2156	2784	cmd.exe	34
PID 2784 wrote to memory of 2156	2784	cmd.exe	34
PID 2784 wrote to memory of 2156	2784	cmd.exe	34
PID 2784 wrote to memory of 2156	2784	cmd.exe	34
PID 2784 wrote to memory of 2744	2784	cmd.exe	35
PID 2784 wrote to memory of 2744	2784	cmd.exe	35
PID 2784 wrote to memory of 2744	2784	cmd.exe	35
PID 2784 wrote to memory of 2744	2784	cmd.exe	35
PID 2784 wrote to memory of 2692	2784	cmd.exe	36
PID 2784 wrote to memory of 2692	2784	cmd.exe	36
PID 2784 wrote to memory of 2692	2784	cmd.exe	36
PID 2784 wrote to memory of 2692	2784	cmd.exe	36
PID 2784 wrote to memory of 3060	2784	cmd.exe	37
PID 2784 wrote to memory of 3060	2784	cmd.exe	37
PID 2784 wrote to memory of 3060	2784	cmd.exe	37
PID 2784 wrote to memory of 3060	2784	cmd.exe	37
PID 2784 wrote to memory of 2092	2784	cmd.exe	38
PID 2784 wrote to memory of 2092	2784	cmd.exe	38
PID 2784 wrote to memory of 2092	2784	cmd.exe	38
PID 2784 wrote to memory of 2092	2784	cmd.exe	38
PID 2784 wrote to memory of 2000	2784	cmd.exe	39
PID 2784 wrote to memory of 2000	2784	cmd.exe	39
PID 2784 wrote to memory of 2000	2784	cmd.exe	39
PID 2784 wrote to memory of 2000	2784	cmd.exe	39
PID 2784 wrote to memory of 948	2784	cmd.exe	40
PID 2784 wrote to memory of 948	2784	cmd.exe	40
PID 2784 wrote to memory of 948	2784	cmd.exe	40
PID 2784 wrote to memory of 948	2784	cmd.exe	40
PID 2784 wrote to memory of 1228	2784	cmd.exe	41
PID 2784 wrote to memory of 1228	2784	cmd.exe	41
PID 2784 wrote to memory of 1228	2784	cmd.exe	41
PID 2784 wrote to memory of 1228	2784	cmd.exe	41
PID 2784 wrote to memory of 2804	2784	cmd.exe	42
PID 2784 wrote to memory of 2804	2784	cmd.exe	42
PID 2784 wrote to memory of 2804	2784	cmd.exe	42
PID 2784 wrote to memory of 2804	2784	cmd.exe	42
PID 2784 wrote to memory of 2920	2784	cmd.exe	43
PID 2784 wrote to memory of 2920	2784	cmd.exe	43
PID 2784 wrote to memory of 2920	2784	cmd.exe	43
PID 2784 wrote to memory of 2920	2784	cmd.exe	43
PID 2784 wrote to memory of 2416	2784	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Autodesk License Patcher Uninstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherUninstaller.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\chcp.com
    chcp 1254
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=70 lines=15
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2704
- - C:\Windows\SysWOW64\fltMC.exe
    fltmc
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 15
    3⤵
    - Runs ping.exe
    PID:2156
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - Runs ping.exe
    PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /tn "\Microsoft\Windows\Autodesk\Autodesk" /f
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="AutodeskNLM"
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe"
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE"
    3⤵
    - Modifies Windows Firewall
    PID:2804
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE"
    3⤵
    - Modifies Windows Firewall
    PID:2920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\7-Zip\7z.exe"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\7-Zip\7z.exe"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\7-Zip\7zFM.exe"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\7-Zip\7zFM.exe"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\7-Zip\7zG.exe"
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\7-Zip\7zG.exe"
    3⤵
    PID:312
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\7-Zip\Uninstall.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\7-Zip\Uninstall.exe"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2400
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2276
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1816
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe"
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1888
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe"
    3⤵
    PID:552
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
    3⤵
    - Modifies Windows Firewall
    PID:824
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    - Modifies Windows Firewall
    PID:2204
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\DVD Maker\DVDMaker.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2160
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\DVD Maker\DVDMaker.exe"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2608
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\chrome_proxy.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2964
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\chrome_proxy.exe"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2488
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe"
    3⤵
    - Modifies Windows Firewall
    PID:580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1020
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2364
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Internet Explorer\iediagcmd.exe"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Internet Explorer\iediagcmd.exe"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Internet Explorer\ieinstal.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1988
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Internet Explorer\ieinstal.exe"
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Internet Explorer\ielowutil.exe"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Internet Explorer\ielowutil.exe"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1072
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1568
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2400
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe"
    3⤵
    - Modifies Windows Firewall
    PID:396
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe"
    3⤵
    PID:784
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe"
    3⤵
    PID:696
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe"
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\java.exe"
    3⤵
    - Modifies Windows Firewall
    PID:112
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\java.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2500
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2680
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2636
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1576
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe"
    3⤵
    - Modifies Windows Firewall
    PID:688
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe"
    3⤵
    PID:772
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2172
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2624
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe"
    3⤵
    PID:312
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe"
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1596
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2108
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe"
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1408
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2420
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1052
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2540
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1772
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe"
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe"
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1980
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe"
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe"
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe"
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe"
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe"
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2616
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe"
    3⤵
    - Modifies Windows Firewall
    PID:268
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2928
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2032
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe"
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe"
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1640
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1636
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2436
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe"
    3⤵
    - Modifies Windows Firewall
    PID:660
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe"
    3⤵
    - Modifies Windows Firewall
    PID:776
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe"
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe"
    3⤵
    - Modifies Windows Firewall
    PID:916
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe"
    3⤵
    - Modifies Windows Firewall
    PID:524
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe"
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2580
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe"
    3⤵
    PID:956
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2144
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2876
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe"
    3⤵
    PID:688
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe"
    3⤵
    - Modifies Windows Firewall
    PID:976
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2032
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2172
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe"
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\jabswitch.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1072
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\jabswitch.exe"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\java-rmi.exe"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\java-rmi.exe"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\java.exe"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\java.exe"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\javacpl.exe"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\javacpl.exe"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\javaw.exe"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\javaw.exe"
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\javaws.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2372
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\javaws.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1256
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\jp2launcher.exe"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\jp2launcher.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1824
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\keytool.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1176
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\keytool.exe"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\kinit.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1760
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\kinit.exe"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\klist.exe"
    3⤵
    - Modifies Windows Firewall
    PID:1772
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\klist.exe"
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\ktab.exe"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\ktab.exe"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\orbd.exe"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\orbd.exe"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Allowed C:\Program Files\Java\jre7\bin\pack200.exe"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall delete rule name="Blocked C:\Program Files\Java\jre7\bin\pack200.exe"
    3⤵
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AutodeskLicensePatcherUninstaller\AutodeskLicensePatcherUninstaller.bat

Filesize
5KB

MD5
06005a6038452582d28fc65a62ed1612

SHA1
4c8b36375b1d6228b517d9159950b5afd85f03ac

SHA256
bd7d4183901679a4c095418a5ce2fa05c76c7da2ca69c2c27ff9d59d8856a59f

SHA512
2d7d1e43f69bc2d3fe22f8acbe3d1f572944e4a626a2222ef410d54819d7879008f06fb267d8d217a1478f3a64679748123d4cd7e149d72723a471f8ae73e1b5

Download Submit
memory/1112-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1112-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads